152 MB
/srv/reproducible-results/rbuild-debian/tmp.DIBroHFLXw/b1/scap-security-guide_0.1.39-2_armhf.changes vs.
/srv/reproducible-results/rbuild-debian/tmp.DIBroHFLXw/b2/scap-security-guide_0.1.39-2_armhf.changes
818 B
Files
    
Offset 1, 6 lines modifiedOffset 1, 6 lines modified
  
1 ·4c8d57eead715d32d3cd21c1a069409a·135420·admin·optional·ssg-applications_0.1.39-2_all.deb1 ·b2ffbc18a5380b9fd40e39f46deefeba·135460·admin·optional·ssg-applications_0.1.39-2_all.deb
2 ·4c0015be793df1ca99454c137ac6ffdb·22640·admin·optional·ssg-base_0.1.39-2_all.deb2 ·4c0015be793df1ca99454c137ac6ffdb·22640·admin·optional·ssg-base_0.1.39-2_all.deb
3 ·711b70e3913a5146882198044d055491·167432·admin·optional·ssg-debderived_0.1.39-2_all.deb3 ·bf02caa4d092b6cda46075b6dabb5e13·167408·admin·optional·ssg-debderived_0.1.39-2_all.deb
4 ·94fc71de0cc23aaedd8e7c33a4184f30·155556·admin·optional·ssg-debian_0.1.39-2_all.deb4 ·7168b4d1d8a95272fe7849255be0d6e9·155464·admin·optional·ssg-debian_0.1.39-2_all.deb
5 ·b8b66ff519d17df948005e37816bd1ce·5257372·admin·optional·ssg-nondebian_0.1.39-2_all.deb5 ·60b89670ab698377c7aa57c0bb1ea682·5252052·admin·optional·ssg-nondebian_0.1.39-2_all.deb
824 KB
ssg-applications_0.1.39-2_all.deb
452 B
file list
    
Offset 1, 3 lines modifiedOffset 1, 3 lines modified
1 -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary1 -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary
2 -rw-r--r--···0········0········0·····1820·2018-07-26·14:58:28.000000·control.tar.xz2 -rw-r--r--···0········0········0·····1812·2018-07-26·14:58:28.000000·control.tar.xz
3 -rw-r--r--···0········0········0···133408·2018-07-26·14:58:28.000000·data.tar.xz3 -rw-r--r--···0········0········0···133456·2018-07-26·14:58:28.000000·data.tar.xz
98.0 B
control.tar.xz
70.0 B
control.tar
48.0 B
./md5sums
30.0 B
./md5sums
Files differ
824 KB
data.tar.xz
824 KB
data.tar
26.4 KB
./usr/share/doc/ssg-applications/ssg-chromium-guide-stig-chromium-upstream.html
    
Offset 393, 25 lines modifiedOffset 393, 25 lines modified
393 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}393 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
394 if·!·[·$?·-eq·0·]·;·then394 if·!·[·$?·-eq·0·]·;·then
395 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}395 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
396 else396 else
397 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}397 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
398 fi398 fi
399 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting"·id="guide-tree-leaf-idm1562"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting">Disable·Metrics·Reporting399 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_popups"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_popups"·id="guide-tree-leaf-idm1562"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_popups">Disable·Popups
400 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Whenever·Chromium·crashes,·it·sends·its·usage·and·crash-related·data·to·Google.400 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_popups">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Chromium·allows·you·to·manage·whether·or·not·unwanted·pop-up·windows·appear.
401 This·should·be·disabled·by·setting·<code>MetricsReportingEnabled</code>·to·401 To·disable·pop-ups,·set·<code>DefaultPopupsSetting</code>·to·<code>2</code>·
402 <code>false</code>·in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·reporting·of·usage·and·crash-related·data·is·sent·to·Google.402 in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Pop-up·windows·should·be·disabled·to·prevent·malicious·websites·from·controlling
403 A·crash·report·could·contain·sensitive·information·from·the·computer's·memory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 403 pop-up·windows·or·fooling·users·into·clicking·on·the·wrong·window.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
404 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 404 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
405 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 405 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
406 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0026</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1570">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1570"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"406 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0004</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1570">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1570"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"
407 CHROME_POL_DIR="/etc/chromium/policies/managed/"407 CHROME_POL_DIR="/etc/chromium/policies/managed/"
408 POL_SETTING="MetricsReportingEnabled"408 POL_SETTING="DefaultPopupsSetting"
409 POL_SETTING_VAL="false"409 POL_SETTING_VAL="2"
  
410 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}410 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
411 if·!·[·$?·-eq·0·]·;·then411 if·!·[·$?·-eq·0·]·;·then
412 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}412 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
413 else413 else
414 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}414 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
Offset 492, 23 lines modifiedOffset 492, 24 lines modified
492 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}492 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
493 if·!·[·$?·-eq·0·]·;·then493 if·!·[·$?·-eq·0·]·;·then
494 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}494 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
495 else495 else
496 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}496 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
497 fi497 fi
498 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords"·id="guide-tree-leaf-idm1629"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords">Disable·Use·of·Cleartext·Passwords498 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization"·id="guide-tree-leaf-idm1629"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization">Require·Outdated·Plugins·to·be·Authorized
499 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_cleartext_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Chromium·allows·users·to·import·and·store·passwords·in·cleartext.·This·should·be·499 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_plugins_require_authorization">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Chromium·should·prompt·users·for·authorization·to·run·outdated·plugins.·This
500 disabled·by·setting·<code>PasswordManagerAllowShowPasswords</code>·to·<code>false</code>500 can·be·enabled·by·setting·<code>AlwaysAuthorizePlugins</code>·to·<code>false</code>
501 in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Cleartext·passwords·would·allow·another·individual·to·see·password·via·shoulder·surfing.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 501 in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Outdated·plugins·can·compromise·security·and·should·request·authorization·from
 502 the·user·before·running.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
502 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 503 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
503 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 504 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
504 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0010</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1637">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1637"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"505 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0014</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1637">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1637"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"
505 CHROME_POL_DIR="/etc/chromium/policies/managed/"506 CHROME_POL_DIR="/etc/chromium/policies/managed/"
506 POL_SETTING="PasswordManagerAllowShowPasswords"507 POL_SETTING="AlwaysAuthorizePlugins"
507 POL_SETTING_VAL="false"508 POL_SETTING_VAL="false"
  
508 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}509 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
509 if·!·[·$?·-eq·0·]·;·then510 if·!·[·$?·-eq·0·]·;·then
510 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}511 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
511 else512 else
Offset 653, 24 lines modifiedOffset 654, 26 lines modified
653 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}654 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
654 if·!·[·$?·-eq·0·]·;·then655 if·!·[·$?·-eq·0·]·;·then
655 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}656 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
656 else657 else
657 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}658 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
658 fi659 fi
659 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction"·id="guide-tree-leaf-idm1741"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction">Disable·Network·Prediction660 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_google_sync"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_google_sync"·id="guide-tree-leaf-idm1741"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_google_sync">Disable·Data·Synchronization·to·Google
660 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·disable·the·network·prediction·feature,·set·<code>DnsPrefetchingEnabled</code>661 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_google_sync">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p><code>SyncDisabled</code>·to·<code>true</code>·in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Google·Sync·is·used·to·sync·information·between·different·user·devices,
661 to·<code>false</code>·in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>This·controls·not·only·DNS·prefetching·but·also·TCP·and·SSL·preconnection662 this·data·is·then·stored·on·Google·owned·servers.·The·synced·data·may·consist
662 and·prerendering·of·web·pages.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 663 of·information·such·as·email,·calendars,·viewing·history,·etc.·This·feature·must
 664 be·disabled·because·the·organization·does·not·have·control·over·the·servers·the
 665 data·is·stored·on.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
663 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 666 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
664 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 667 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
665 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0025</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1749">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1749"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"668 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0020</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1749">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1749"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"
666 CHROME_POL_DIR="/etc/chromium/policies/managed/"669 CHROME_POL_DIR="/etc/chromium/policies/managed/"
667 POL_SETTING="DnsPrefetchingEnabled"670 POL_SETTING="SyncDisabled"
668 POL_SETTING_VAL="false"671 POL_SETTING_VAL="true"
  
669 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}672 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
670 if·!·[·$?·-eq·0·]·;·then673 if·!·[·$?·-eq·0·]·;·then
671 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}674 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
672 else675 else
673 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}676 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
Offset 692, 25 lines modifiedOffset 695, 25 lines modified
692 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}695 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
693 if·!·[·$?·-eq·0·]·;·then696 if·!·[·$?·-eq·0·]·;·then
694 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}697 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
695 else698 else
696 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}699 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
697 fi700 fi
698 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_popups"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_popups"·id="guide-tree-leaf-idm1767"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_popups">Disable·Popups701 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting"·id="guide-tree-leaf-idm1767"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting">Disable·Metrics·Reporting
699 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_popups">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Chromium·allows·you·to·manage·whether·or·not·unwanted·pop-up·windows·appear.702 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_metrics_reporting">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Whenever·Chromium·crashes,·it·sends·its·usage·and·crash-related·data·to·Google.
700 To·disable·pop-ups,·set·<code>DefaultPopupsSetting</code>·to·<code>2</code>·703 This·should·be·disabled·by·setting·<code>MetricsReportingEnabled</code>·to·
701 in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Pop-up·windows·should·be·disabled·to·prevent·malicious·websites·from·controlling704 <code>false</code>·in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·reporting·of·usage·and·crash-related·data·is·sent·to·Google.
702 pop-up·windows·or·fooling·users·into·clicking·on·the·wrong·window.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 705 A·crash·report·could·contain·sensitive·information·from·the·computer's·memory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
703 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 706 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
704 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 707 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
705 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0004</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1775">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1775"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"708 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0026</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1775">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1775"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"
706 CHROME_POL_DIR="/etc/chromium/policies/managed/"709 CHROME_POL_DIR="/etc/chromium/policies/managed/"
707 POL_SETTING="DefaultPopupsSetting"710 POL_SETTING="MetricsReportingEnabled"
708 POL_SETTING_VAL="2"711 POL_SETTING_VAL="false"
  
709 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}712 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
710 if·!·[·$?·-eq·0·]·;·then713 if·!·[·$?·-eq·0·]·;·then
711 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}714 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
712 else715 else
713 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}716 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
Offset 776, 26 lines modifiedOffset 779, 24 lines modified
776 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}779 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
777 if·!·[·$?·-eq·0·]·;·then780 if·!·[·$?·-eq·0·]·;·then
778 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}781 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
779 else782 else
780 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}783 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
781 fi784 fi
782 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_google_sync"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_google_sync"·id="guide-tree-leaf-idm1821"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_google_sync">Disable·Data·Synchronization·to·Google785 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction"·id="guide-tree-leaf-idm1821"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_chromium"><td·style="padding-left:·38px"><h4·id="xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction">Disable·Network·Prediction
783 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_google_sync">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p><code>SyncDisabled</code>·to·<code>true</code>·in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>Google·Sync·is·used·to·sync·information·between·different·user·devices,786 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chromium_disable_network_prediction">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·disable·the·network·prediction·feature,·set·<code>DnsPrefetchingEnabled</code>
784 this·data·is·then·stored·on·Google·owned·servers.·The·synced·data·may·consist787 to·<code>false</code>·in·the·Chromium·policy·file.</p><span·class="label·label-primary">Rationale:</span><p>This·controls·not·only·DNS·prefetching·but·also·TCP·and·SSL·preconnection
785 of·information·such·as·email,·calendars,·viewing·history,·etc.·This·feature·must788 and·prerendering·of·web·pages.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
786 be·disabled·because·the·organization·does·not·have·control·over·the·servers·the 
787 data·is·stored·on.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
788 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 789 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
789 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 790 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
790 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0020</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1829">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1829"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"791 ············<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DISA·FSO·DTBC0025</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1829">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1829"><pre><code>CHROME_POL_FILE="chrome_stig_policy.json"
791 CHROME_POL_DIR="/etc/chromium/policies/managed/"792 CHROME_POL_DIR="/etc/chromium/policies/managed/"
792 POL_SETTING="SyncDisabled"793 POL_SETTING="DnsPrefetchingEnabled"
793 POL_SETTING_VAL="true"794 POL_SETTING_VAL="false"
  
794 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}795 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
795 if·!·[·$?·-eq·0·]·;·then796 if·!·[·$?·-eq·0·]·;·then
Max diff block lines reached; 4518/26862 bytes (16.82%) of diff not shown.
12.2 KB
./usr/share/doc/ssg-applications/ssg-firefox-guide-default.html
    
Offset 48, 31 lines modifiedOffset 48, 31 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla.57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla.
58 Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section·58 Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section·
59 provides·settings·for·configuring·Firefox·policies·to·meet·compliance·59 provides·settings·for·configuring·Firefox·policies·to·meet·compliance·
60 settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems.60 settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems.
  
61 <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li>61 <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li>
62 for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required62 for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data
 63 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data
 64 operation·when·closing·the·browser·in·order·to·clear·cookies·and·other
 65 data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings
 66 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required
63 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Shared·System·Certificates·store·contains·certificates·that67 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Shared·System·Certificates·store·contains·certificates·that
64 applications·can·access·for·a·single·certificate·repository.68 applications·can·access·for·a·single·certificate·repository.
65 If·enabled,·Firefox·can·access·that·single·system·certificate69 If·enabled,·Firefox·can·access·that·single·system·certificate
66 repository.·If·the·DoD·root·certificate·is·also·installed·into70 repository.·If·the·DoD·root·certificate·is·also·installed·into
67 the·shared·system·certificate·repository,·Firefox·will·see·and·71 the·shared·system·certificate·repository,·Firefox·will·see·and·
68 use·the·DoD·root·certificate·as·a·valid·certificate·authority.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data72 use·the·DoD·root·certificate·as·a·valid·certificate·authority.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr></tbody></table></div><div·id="rear-matter"><div·class="row·top-spacer-10"><div·class="col-md-12·well·well-lg"><div·class="rear-matter">Red·Hat·and·Red·Hat·Enterprise·Linux·are·either·registered
69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data 
70 operation·when·closing·the·browser·in·order·to·clear·cookies·and·other 
71 data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings 
72 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"></td></tr></tbody></table></div><div·id="rear-matter"><div·class="row·top-spacer-10"><div·class="col-md-12·well·well-lg"><div·class="rear-matter">Red·Hat·and·Red·Hat·Enterprise·Linux·are·either·registered 
73 trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other73 trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other
74 countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their74 countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their
75 respective·companies.75 respective·companies.
76 </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit">76 </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit">
77 ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html>77 ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html>
51.2 KB
./usr/share/doc/ssg-applications/ssg-firefox-guide-stig-firefox-upstream.html
    
Offset 59, 67 lines modifiedOffset 59, 34 lines modified
59 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in59 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
60 this·guide·without·first·testing·them·in·a·non-operational·environment.·The60 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
61 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by61 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
62 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its62 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
63 quality,·reliability,·or·any·other·characteristic.63 quality,·reliability,·or·any·other·characteristic.
64 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Upstream·Firefox·STIG</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-firefox-upstream</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>64 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Upstream·Firefox·STIG</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-firefox-upstream</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
65 ····························(as·of·2018-07-26)65 ····························(as·of·2018-07-26)
66 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·0px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox66 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/a:mozilla:firefox</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox">Firefox</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings</a></li><li><a·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·0px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_firefox">Firefox
67 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla.67 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·is·an·open-source·web·browser·and·developed·by·Mozilla.
68 Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section·68 Web·browsers·such·as·Firefox·are·used·for·a·number·of·reasons.·This·section·
69 provides·settings·for·configuring·Firefox·policies·to·meet·compliance·69 provides·settings·for·configuring·Firefox·policies·to·meet·compliance·
70 settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems.70 settings·for·Firefox·running·on·Red·Hat·Enterprise·Linux·systems.
  
71 <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li>71 <ul>Refer·to·<li><a·href="http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries">http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries</a></li>
72 for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">The·DoD·Root·Certificate·Is·Required72 for·a·list·of·currently·supported·Firefox·settings.</ul></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FIREFOX"><td·style="padding-left:·19px"><small>contains·28·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Shared·System·Certificates·store·contains·certificates·that 
74 applications·can·access·for·a·single·certificate·repository. 
75 If·enabled,·Firefox·can·access·that·single·system·certificate 
76 repository.·If·the·DoD·root·certificate·is·also·installed·into 
77 the·shared·system·certificate·repository,·Firefox·will·see·and· 
78 use·the·DoD·root·certificate·as·a·valid·certificate·authority.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed"·id="guide-tree-leaf-idm1055"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed">The·DoD·Root·Certificate·Exists 
79 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-dod_root_certificate_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·DoD·root·certificate·should·be·installed·in·the·Shared·System·Certificates·store 
80 for·Firefox·to·be·able·to·access·the·DoD·certificate.·To·install·the·root·certificated 
81 into·the·Shared·System·Certificates·store,·copy·the·DoD·root·certificate·into 
82 <code>/etc/pki/ca-trust/source/anchors</code>.·Once·the·file·is·copied,·run·the·following 
83 command: 
84 <pre>$·sudo·update-ca-trust·extract</pre></p><span·class="label·label-primary">Rationale:</span><p>The·DOD·root·certificate·will·ensure·that·the·trust·chain·is 
85 established·for·server·certificates·issued·from·the·DOD·CA.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
86 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
87 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27457-1">CCE-27457-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
88 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000054</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust"·id="guide-tree-leaf-idm1066"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-dod_root_certificate"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust">Enable·Shared·System·Certificates 
89 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-enable_ca_trust">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Shared·System·Certificates·store·makes·NSS,·GnuTLS,·OpenSSL,·and·Java 
90 share·a·default·source·for·retrieving·system·certificate·anchors·and·blacklist 
91 information.·Firefox·has·the·capability·of·using·this·centralized·store·for·its 
92 CA·certificates.·If·the·Shared·System·Certificates·store·is·disabled,·it·can 
93 be·enabled·by·running·the·following·command: 
94 <pre>$·sudo·update-ca-trust·enable</pre></p><span·class="label·label-primary">Rationale:</span><p>The·DOD·root·certificate·will·ensure·that·the·trust·chain·is 
95 established·for·server·certificates·issued·from·the·DOD·CA.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
96 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
97 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27457-1">CCE-27457-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
98 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000054</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1074">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1074"><pre><code>P11=$(readlink·/etc/alternatives/libnssckbi.so*) 
99 P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" 
100 P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" 
  
101 if·!·[[·${P11}·==·"${P11LIB64}"·]]·||·!·[[·${P11}·==·"${P11LIB}"·]]·;·then 
102 ···/usr/bin/update-ca-trust·enable 
103 fi 
104 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-cookies">Clearing·Cookies·And·Other·Data 
105 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-cookies">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Browser·preferences·should·be·set·to·perform·a·Clear·Private·Data
106 operation·when·closing·the·browser·in·order·to·clear·cookies·and·other74 operation·when·closing·the·browser·in·order·to·clear·cookies·and·other
107 data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·id="guide-tree-leaf-idm1080"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">Disable·User·Prompt·When·Data·Is·Cleared75 data·installed·by·websites·visited·during·the·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice"·id="guide-tree-leaf-idm1055"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">Disable·User·Prompt·When·Data·Is·Cleared
108 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·users·are·asked·if·it·is·okay·to·clear·out·cookies·and·data76 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_user_notice">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·users·are·asked·if·it·is·okay·to·clear·out·cookies·and·data
109 when·Firefox·closes.·This·can·be·disabled·by·77 when·Firefox·closes.·This·can·be·disabled·by·
110 setting·<code>privacy.sanitize.promptOnSanitize</code>·to·<code>false</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware.78 setting·<code>privacy.sanitize.promptOnSanitize</code>·to·<code>false</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware.
111 To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private79 To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private
112 Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and80 Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and
113 other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 81 other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
114 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 82 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
115 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 83 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
116 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1090"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the84 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1065">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1065"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the
117 #·preference·if·it·does·not·exist.85 #·preference·if·it·does·not·exist.
118 #86 #
119 #·Expects·three·arguments:87 #·Expects·three·arguments:
120 #88 #
121 #·config_file:··········Configuration·file·that·will·be·modified89 #·config_file:··········Configuration·file·that·will·be·modified
122 #·key:··················Configuration·option·to·change90 #·key:··················Configuration·option·to·change
123 #·value:················Value·of·the·configuration·option·to·change91 #·value:················Value·of·the·configuration·option·to·change
Offset 168, 24 lines modifiedOffset 135, 24 lines modified
168 ········echo·"lockPref(\"${key}\",·${value});"·&gt;&gt;·"${firefox_dir}/${firefox_cfg}"135 ········echo·"lockPref(\"${key}\",·${value});"·&gt;&gt;·"${firefox_dir}/${firefox_cfg}"
169 ······fi136 ······fi
170 ····fi137 ····fi
171 ··done138 ··done
172 }139 }
  
173 firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false"140 firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false"
174 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·id="guide-tree-leaf-idm1096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">Clear·Data·When·Firefox·Closes141 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear"·id="guide-tree-leaf-idm1071"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-cookies"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">Clear·Data·When·Firefox·Closes
175 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>When·a·user·browses·to·a·website,·cookies·and·other·types·of·data142 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-cookies_clear">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>When·a·user·browses·to·a·website,·cookies·and·other·types·of·data
176 get·stored·on·the·system.·This·can·be·disabled·by·setting143 get·stored·on·the·system.·This·can·be·disabled·by·setting
177 <code>privacy.sanitize.sanitizeOnShutdown</code>·to·<code>true</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware.144 <code>privacy.sanitize.sanitizeOnShutdown</code>·to·<code>true</code>.</p><span·class="label·label-primary">Rationale:</span><p>Cookies·can·help·websites·perform·better·but·can·also·be·part·of·spyware.
178 To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private145 To·mitigate·this·risk,·set·browser·preferences·to·perform·a·Clear·Private
179 Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and146 Data·operation·when·closing·the·browser·in·order·to·clear·cookies·and
180 other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 147 other·data·installed·by·websites·visited·during·the·session.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
181 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 148 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
182 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 149 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
183 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1106"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the150 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-16716r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1081">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1081"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the
184 #·preference·if·it·does·not·exist.151 #·preference·if·it·does·not·exist.
185 #152 #
186 #·Expects·three·arguments:153 #·Expects·three·arguments:
187 #154 #
188 #·config_file:··········Configuration·file·that·will·be·modified155 #·config_file:··········Configuration·file·that·will·be·modified
189 #·key:··················Configuration·option·to·change156 #·key:··················Configuration·option·to·change
190 #·value:················Value·of·the·configuration·option·to·change157 #·value:················Value·of·the·configuration·option·to·change
Offset 235, 22 lines modifiedOffset 202, 22 lines modified
235 ······fi202 ······fi
236 ····fi203 ····fi
237 ··done204 ··done
238 }205 }
  
239 firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true"206 firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true"
240 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings207 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">Prevent·Users·from·Changing·Firefox·Configuration·Settings
241 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·id="guide-tree-leaf-idm1115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">Disable·Firefox·Configuration·File·ROT-13·Encoding208 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Firefox·required·security·preferences·cannot·be·changed·by·users.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure"·id="guide-tree-leaf-idm1090"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">Disable·Firefox·Configuration·File·ROT-13·Encoding
242 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Disable·ROT-13·encoding·by·setting·<code>general.config.obscure_value</code>209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_obscure">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Disable·ROT-13·encoding·by·setting·<code>general.config.obscure_value</code>
243 to·<code>0</code>.</p><span·class="label·label-primary">Rationale:</span><p>ROT-13·encoded·prevents·system·adminstrators·from·easily·configuring210 to·<code>0</code>.</p><span·class="label·label-primary">Rationale:</span><p>ROT-13·encoded·prevents·system·adminstrators·from·easily·configuring
244 and·deploying·Firefox·configuration·settings.·It·also·prevents·validating211 and·deploying·Firefox·configuration·settings.·It·also·prevents·validating
245 settings·easily·from·automated·security·tools.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 212 settings·easily·from·automated·security·tools.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
246 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 213 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
247 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 214 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
248 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-21889r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1125">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1125"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the215 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">ECSC-1</a>,·<a·href="http://iase.disa.mil/stigs/app-security/browser-guidance/Pages/index.aspx">DTBF070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-21889r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm1100">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm1100"><pre><code>#·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the
249 #·preference·if·it·does·not·exist.216 #·preference·if·it·does·not·exist.
250 #217 #
251 #·Expects·three·arguments:218 #·Expects·three·arguments:
252 #219 #
253 #·config_file:··········Configuration·file·that·will·be·modified220 #·config_file:··········Configuration·file·that·will·be·modified
254 #·key:··················Configuration·option·to·change221 #·key:··················Configuration·option·to·change
255 #·value:················Value·of·the·configuration·option·to·change222 #·value:················Value·of·the·configuration·option·to·change
Offset 312, 22 lines modifiedOffset 279, 22 lines modified
312 ······fi279 ······fi
313 ····fi280 ····fi
314 ··done281 ··done
  
315 }282 }
  
316 firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0"283 firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0"
317 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·id="guide-tree-leaf-idm1131"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">Set·Firefox·Configuration·File·Location284 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file"·id="guide-tree-leaf-idm1106"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firefox_preferences-lock_settings"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">Set·Firefox·Configuration·File·Location
318 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Specify·the·Firefox·configuration·file·location·by·setting·285 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_firefox_preferences-lock_settings_config_file">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Specify·the·Firefox·configuration·file·location·by·setting·
319 <code>general.config.filename</code>·to·the·configuration·(i.e.·<code>mozilla.cfg</code>)286 <code>general.config.filename</code>·to·the·configuration·(i.e.·<code>mozilla.cfg</code>)
320 filename·that·contains·the·Firefox·security·preferences.</p><span·class="label·label-primary">Rationale:</span><p>Locked·settings·prevents·users·from·accessing·about:config·and·changing287 filename·that·contains·the·Firefox·security·preferences.</p><span·class="label·label-primary">Rationale:</span><p>Locked·settings·prevents·users·from·accessing·about:config·and·changing
Max diff block lines reached; 24041/52247 bytes (46.01%) of diff not shown.
10.1 KB
./usr/share/scap-security-guide/bash/ssg-chromium-role-stig-chromium-upstream.sh
    
Offset 318, 30 lines modifiedOffset 318, 30 lines modified
318 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}318 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
319 else319 else
320 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}320 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
321 fi321 fi
322 #·END·fix·for·'chromium_disable_saved_passwords'322 #·END·fix·for·'chromium_disable_saved_passwords'
  
323 ###############################################################################323 ###############################################################################
324 #·BEGIN·fix·(16·/·37)·for·'chromium_disable_metrics_reporting'324 #·BEGIN·fix·(16·/·37)·for·'chromium_disable_popups'
325 ###############################################################################325 ###############################################################################
326 (>&2·echo·"Remediating·rule·16/37:·'chromium_disable_metrics_reporting'")326 (>&2·echo·"Remediating·rule·16/37:·'chromium_disable_popups'")
327 CHROME_POL_FILE="chrome_stig_policy.json"327 CHROME_POL_FILE="chrome_stig_policy.json"
328 CHROME_POL_DIR="/etc/chromium/policies/managed/"328 CHROME_POL_DIR="/etc/chromium/policies/managed/"
329 POL_SETTING="MetricsReportingEnabled"329 POL_SETTING="DefaultPopupsSetting"
330 POL_SETTING_VAL="false"330 POL_SETTING_VAL="2"
  
331 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}331 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
332 if·!·[·$?·-eq·0·]·;·then332 if·!·[·$?·-eq·0·]·;·then
333 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}333 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
334 else334 else
335 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}335 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
336 fi336 fi
337 #·END·fix·for·'chromium_disable_metrics_reporting'337 #·END·fix·for·'chromium_disable_popups'
  
338 ###############################################################################338 ###############################################################################
339 #·BEGIN·fix·(17·/·37)·for·'chromium_disable_incognito_mode'339 #·BEGIN·fix·(17·/·37)·for·'chromium_disable_incognito_mode'
340 ###############################################################################340 ###############################################################################
341 (>&2·echo·"Remediating·rule·17/37:·'chromium_disable_incognito_mode'")341 (>&2·echo·"Remediating·rule·17/37:·'chromium_disable_incognito_mode'")
342 CHROME_POL_FILE="chrome_stig_policy.json"342 CHROME_POL_FILE="chrome_stig_policy.json"
343 CHROME_POL_DIR="/etc/chromium/policies/managed/"343 CHROME_POL_DIR="/etc/chromium/policies/managed/"
Offset 409, 30 lines modifiedOffset 409, 30 lines modified
409 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}409 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
410 else410 else
411 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}411 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
412 fi412 fi
413 #·END·fix·for·'chromium_enable_safe_browsing'413 #·END·fix·for·'chromium_enable_safe_browsing'
  
414 ###############################################################################414 ###############################################################################
415 #·BEGIN·fix·(21·/·37)·for·'chromium_disable_cleartext_passwords'415 #·BEGIN·fix·(21·/·37)·for·'chromium_plugins_require_authorization'
416 ###############################################################################416 ###############################################################################
417 (>&2·echo·"Remediating·rule·21/37:·'chromium_disable_cleartext_passwords'")417 (>&2·echo·"Remediating·rule·21/37:·'chromium_plugins_require_authorization'")
418 CHROME_POL_FILE="chrome_stig_policy.json"418 CHROME_POL_FILE="chrome_stig_policy.json"
419 CHROME_POL_DIR="/etc/chromium/policies/managed/"419 CHROME_POL_DIR="/etc/chromium/policies/managed/"
420 POL_SETTING="PasswordManagerAllowShowPasswords"420 POL_SETTING="AlwaysAuthorizePlugins"
421 POL_SETTING_VAL="false"421 POL_SETTING_VAL="false"
  
422 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}422 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
423 if·!·[·$?·-eq·0·]·;·then423 if·!·[·$?·-eq·0·]·;·then
424 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}424 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
425 else425 else
426 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}426 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
427 fi427 fi
428 #·END·fix·for·'chromium_disable_cleartext_passwords'428 #·END·fix·for·'chromium_plugins_require_authorization'
  
429 ###############################################################################429 ###############################################################################
430 #·BEGIN·fix·(22·/·37)·for·'chromium_default_block_plugins'430 #·BEGIN·fix·(22·/·37)·for·'chromium_default_block_plugins'
431 ###############################################################################431 ###############################################################################
432 (>&2·echo·"Remediating·rule·22/37:·'chromium_default_block_plugins'")432 (>&2·echo·"Remediating·rule·22/37:·'chromium_default_block_plugins'")
433 CHROME_POL_FILE="chrome_stig_policy.json"433 CHROME_POL_FILE="chrome_stig_policy.json"
434 CHROME_POL_DIR="/etc/chromium/policies/managed/"434 CHROME_POL_DIR="/etc/chromium/policies/managed/"
Offset 557, 30 lines modifiedOffset 557, 30 lines modified
557 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}557 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
558 else558 else
559 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}559 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
560 fi560 fi
561 #·END·fix·for·'chromium_block_desktop_notifications'561 #·END·fix·for·'chromium_block_desktop_notifications'
  
562 ###############################################################################562 ###############################################################################
563 #·BEGIN·fix·(29·/·37)·for·'chromium_disable_network_prediction'563 #·BEGIN·fix·(29·/·37)·for·'chromium_disable_google_sync'
564 ###############################################################################564 ###############################################################################
565 (>&2·echo·"Remediating·rule·29/37:·'chromium_disable_network_prediction'")565 (>&2·echo·"Remediating·rule·29/37:·'chromium_disable_google_sync'")
566 CHROME_POL_FILE="chrome_stig_policy.json"566 CHROME_POL_FILE="chrome_stig_policy.json"
567 CHROME_POL_DIR="/etc/chromium/policies/managed/"567 CHROME_POL_DIR="/etc/chromium/policies/managed/"
568 POL_SETTING="DnsPrefetchingEnabled"568 POL_SETTING="SyncDisabled"
569 POL_SETTING_VAL="false"569 POL_SETTING_VAL="true"
  
570 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}570 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
571 if·!·[·$?·-eq·0·]·;·then571 if·!·[·$?·-eq·0·]·;·then
572 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}572 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
573 else573 else
574 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}574 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
575 fi575 fi
576 #·END·fix·for·'chromium_disable_network_prediction'576 #·END·fix·for·'chromium_disable_google_sync'
  
577 ###############################################################################577 ###############################################################################
578 #·BEGIN·fix·(30·/·37)·for·'chromium_disable_thirdparty_cookies'578 #·BEGIN·fix·(30·/·37)·for·'chromium_disable_thirdparty_cookies'
579 ###############################################################################579 ###############################################################################
580 (>&2·echo·"Remediating·rule·30/37:·'chromium_disable_thirdparty_cookies'")580 (>&2·echo·"Remediating·rule·30/37:·'chromium_disable_thirdparty_cookies'")
581 CHROME_POL_FILE="chrome_stig_policy.json"581 CHROME_POL_FILE="chrome_stig_policy.json"
582 CHROME_POL_DIR="/etc/chromium/policies/managed/"582 CHROME_POL_DIR="/etc/chromium/policies/managed/"
Offset 593, 30 lines modifiedOffset 593, 30 lines modified
593 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}593 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
594 else594 else
595 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}595 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
596 fi596 fi
597 #·END·fix·for·'chromium_disable_thirdparty_cookies'597 #·END·fix·for·'chromium_disable_thirdparty_cookies'
  
598 ###############################################################################598 ###############################################################################
599 #·BEGIN·fix·(31·/·37)·for·'chromium_disable_popups'599 #·BEGIN·fix·(31·/·37)·for·'chromium_disable_metrics_reporting'
600 ###############################################################################600 ###############################################################################
601 (>&2·echo·"Remediating·rule·31/37:·'chromium_disable_popups'")601 (>&2·echo·"Remediating·rule·31/37:·'chromium_disable_metrics_reporting'")
602 CHROME_POL_FILE="chrome_stig_policy.json"602 CHROME_POL_FILE="chrome_stig_policy.json"
603 CHROME_POL_DIR="/etc/chromium/policies/managed/"603 CHROME_POL_DIR="/etc/chromium/policies/managed/"
604 POL_SETTING="DefaultPopupsSetting"604 POL_SETTING="MetricsReportingEnabled"
605 POL_SETTING_VAL="2"605 POL_SETTING_VAL="false"
  
606 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}606 grep·-q·${POL_SETTING}·${CHROME_POL_DIR}/${CHROME_POL_FILE}
  
607 if·!·[·$?·-eq·0·]·;·then607 if·!·[·$?·-eq·0·]·;·then
608 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}608 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
609 else609 else
610 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}610 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
611 fi611 fi
612 #·END·fix·for·'chromium_disable_popups'612 #·END·fix·for·'chromium_disable_metrics_reporting'
  
613 ###############################################################################613 ###############################################################################
614 #·BEGIN·fix·(32·/·37)·for·'chromium_disable_protocol_schemas'614 #·BEGIN·fix·(32·/·37)·for·'chromium_disable_protocol_schemas'
615 ###############################################################################615 ###############################################################################
616 (>&2·echo·"Remediating·rule·32/37:·'chromium_disable_protocol_schemas'")616 (>&2·echo·"Remediating·rule·32/37:·'chromium_disable_protocol_schemas'")
617 populate·var_url_blacklist617 populate·var_url_blacklist
  
Offset 667, 30 lines modifiedOffset 667, 30 lines modified
667 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}667 ···sed·-i·-e·'/{/a·\··"'${POL_SETTING}'":·'${POL_SETTING_VAL}','·${CHROME_POL_DIR}/${CHROME_POL_FILE}
668 else668 else
669 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}669 ···sed·-i·-e·'s/\"'${POL_SETTING}'.*/\"'${POL_SETTING}'\":·'${POL_SETTING_VAL}',/g'·${CHROME_POL_DIR}/${CHROME_POL_FILE}
Max diff block lines reached; 2931/10192 bytes (28.76%) of diff not shown.
9.62 KB
./usr/share/scap-security-guide/bash/ssg-firefox-role-stig-firefox-upstream.sh
    
Offset 29, 37 lines modifiedOffset 29, 17 lines modified
29 #29 #
30 #·How·to·apply·this·remediation·role:30 #·How·to·apply·this·remediation·role:
31 #·$·sudo·./remediation-role.sh31 #·$·sudo·./remediation-role.sh
32 #32 #
33 ###############################################################################33 ###############################################################################
  
34 ###############################################################################34 ###############################################################################
35 #·BEGIN·fix·(1·/·28)·for·'firefox_preferences-dod_root_certificate_installed'35 #·BEGIN·fix·(1·/·28)·for·'firefox_preferences-cookies_user_notice'
36 ###############################################################################36 ###############################################################################
37 (>&2·echo·"Remediating·rule·1/28:·'firefox_preferences-dod_root_certificate_installed'")37 (>&2·echo·"Remediating·rule·1/28:·'firefox_preferences-cookies_user_notice'")
38 #·FIX·FOR·THIS·RULE·IS·MISSING 
39 #·END·fix·for·'firefox_preferences-dod_root_certificate_installed' 
  
40 ############################################################################### 
41 #·BEGIN·fix·(2·/·28)·for·'firefox_preferences-enable_ca_trust' 
42 ############################################################################### 
43 (>&2·echo·"Remediating·rule·2/28:·'firefox_preferences-enable_ca_trust'") 
44 P11=$(readlink·/etc/alternatives/libnssckbi.so*) 
45 P11LIB="/usr/lib/pkcs11/p11-kit-trust.so" 
46 P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so" 
  
47 if·!·[[·${P11}·==·"${P11LIB64}"·]]·||·!·[[·${P11}·==·"${P11LIB}"·]]·;·then 
48 ···/usr/bin/update-ca-trust·enable 
49 fi 
50 #·END·fix·for·'firefox_preferences-enable_ca_trust' 
  
51 ############################################################################### 
52 #·BEGIN·fix·(3·/·28)·for·'firefox_preferences-cookies_user_notice' 
53 ############################################################################### 
54 (>&2·echo·"Remediating·rule·3/28:·'firefox_preferences-cookies_user_notice'") 
55 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the38 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the
56 #·preference·if·it·does·not·exist.39 #·preference·if·it·does·not·exist.
57 #40 #
58 #·Expects·three·arguments:41 #·Expects·three·arguments:
59 #42 #
60 #·config_file:··········Configuration·file·that·will·be·modified43 #·config_file:··········Configuration·file·that·will·be·modified
61 #·key:··················Configuration·option·to·change44 #·key:··················Configuration·option·to·change
Offset 112, 17 lines modifiedOffset 92, 17 lines modified
112 ··done92 ··done
113 }93 }
  
114 firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false"94 firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.promptOnSanitize"·"false"
115 #·END·fix·for·'firefox_preferences-cookies_user_notice'95 #·END·fix·for·'firefox_preferences-cookies_user_notice'
  
116 ###############################################################################96 ###############################################################################
117 #·BEGIN·fix·(4·/·28)·for·'firefox_preferences-cookies_clear'97 #·BEGIN·fix·(2·/·28)·for·'firefox_preferences-cookies_clear'
118 ###############################################################################98 ###############################################################################
119 (>&2·echo·"Remediating·rule·4/28:·'firefox_preferences-cookies_clear'")99 (>&2·echo·"Remediating·rule·2/28:·'firefox_preferences-cookies_clear'")
120 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the100 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the
121 #·preference·if·it·does·not·exist.101 #·preference·if·it·does·not·exist.
122 #102 #
123 #·Expects·three·arguments:103 #·Expects·three·arguments:
124 #104 #
125 #·config_file:··········Configuration·file·that·will·be·modified105 #·config_file:··········Configuration·file·that·will·be·modified
126 #·key:··················Configuration·option·to·change106 #·key:··················Configuration·option·to·change
Offset 175, 17 lines modifiedOffset 155, 17 lines modified
175 ··done155 ··done
176 }156 }
  
177 firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true"157 firefox_cfg_setting·"stig.cfg"·"privacy.sanitize.sanitizeOnShutdown"·"true"
178 #·END·fix·for·'firefox_preferences-cookies_clear'158 #·END·fix·for·'firefox_preferences-cookies_clear'
  
179 ###############################################################################159 ###############################################################################
180 #·BEGIN·fix·(5·/·28)·for·'firefox_preferences-lock_settings_obscure'160 #·BEGIN·fix·(3·/·28)·for·'firefox_preferences-lock_settings_obscure'
181 ###############################################################################161 ###############################################################################
182 (>&2·echo·"Remediating·rule·5/28:·'firefox_preferences-lock_settings_obscure'")162 (>&2·echo·"Remediating·rule·3/28:·'firefox_preferences-lock_settings_obscure'")
183 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the163 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the
184 #·preference·if·it·does·not·exist.164 #·preference·if·it·does·not·exist.
185 #165 #
186 #·Expects·three·arguments:166 #·Expects·three·arguments:
187 #167 #
188 #·config_file:··········Configuration·file·that·will·be·modified168 #·config_file:··········Configuration·file·that·will·be·modified
189 #·key:··················Configuration·option·to·change169 #·key:··················Configuration·option·to·change
Offset 251, 17 lines modifiedOffset 231, 17 lines modified
  
251 }231 }
  
252 firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0"232 firefox_js_setting·"stig_settings.js"·"general.config.obscure_value"·"0"
253 #·END·fix·for·'firefox_preferences-lock_settings_obscure'233 #·END·fix·for·'firefox_preferences-lock_settings_obscure'
  
254 ###############################################################################234 ###############################################################################
255 #·BEGIN·fix·(6·/·28)·for·'firefox_preferences-lock_settings_config_file'235 #·BEGIN·fix·(4·/·28)·for·'firefox_preferences-lock_settings_config_file'
256 ###############################################################################236 ###############################################################################
257 (>&2·echo·"Remediating·rule·6/28:·'firefox_preferences-lock_settings_config_file'")237 (>&2·echo·"Remediating·rule·4/28:·'firefox_preferences-lock_settings_config_file'")
258 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the238 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·JavaScript·file·or·add·the
259 #·preference·if·it·does·not·exist.239 #·preference·if·it·does·not·exist.
260 #240 #
261 #·Expects·three·arguments:241 #·Expects·three·arguments:
262 #242 #
263 #·config_file:··········Configuration·file·that·will·be·modified243 #·config_file:··········Configuration·file·that·will·be·modified
264 #·key:··················Configuration·option·to·change244 #·key:··················Configuration·option·to·change
Offset 327, 14 lines modifiedOffset 307, 34 lines modified
  
327 }307 }
  
328 firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\""308 firefox_js_setting·"stig_settings.js"·"general.config.filename"·"\"stig.cfg\""
329 #·END·fix·for·'firefox_preferences-lock_settings_config_file'309 #·END·fix·for·'firefox_preferences-lock_settings_config_file'
  
330 ###############################################################################310 ###############################################################################
 311 #·BEGIN·fix·(5·/·28)·for·'firefox_preferences-dod_root_certificate_installed'
 312 ###############################################################################
 313 (>&2·echo·"Remediating·rule·5/28:·'firefox_preferences-dod_root_certificate_installed'")
 314 #·FIX·FOR·THIS·RULE·IS·MISSING
 315 #·END·fix·for·'firefox_preferences-dod_root_certificate_installed'
  
 316 ###############################################################################
 317 #·BEGIN·fix·(6·/·28)·for·'firefox_preferences-enable_ca_trust'
 318 ###############################################################################
 319 (>&2·echo·"Remediating·rule·6/28:·'firefox_preferences-enable_ca_trust'")
 320 P11=$(readlink·/etc/alternatives/libnssckbi.so*)
 321 P11LIB="/usr/lib/pkcs11/p11-kit-trust.so"
 322 P11LIB64="/usr/lib64/pkcs11/p11-kit-trust.so"
  
 323 if·!·[[·${P11}·==·"${P11LIB64}"·]]·||·!·[[·${P11}·==·"${P11LIB}"·]]·;·then
 324 ···/usr/bin/update-ca-trust·enable
 325 fi
 326 #·END·fix·for·'firefox_preferences-enable_ca_trust'
  
 327 ###############################################################################
331 #·BEGIN·fix·(7·/·28)·for·'firefox_preferences-ssl_protocol_tls'328 #·BEGIN·fix·(7·/·28)·for·'firefox_preferences-ssl_protocol_tls'
332 ###############################################################################329 ###############################################################################
333 (>&2·echo·"Remediating·rule·7/28:·'firefox_preferences-ssl_protocol_tls'")330 (>&2·echo·"Remediating·rule·7/28:·'firefox_preferences-ssl_protocol_tls'")
334 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the331 #·Function·to·replace·configuration·setting(s)·in·the·Firefox·preferences·configuration·(.cfg)·file·or·add·the
335 #·preference·if·it·does·not·exist.332 #·preference·if·it·does·not·exist.
336 #333 #
337 #·Expects·three·arguments:334 #·Expects·three·arguments:
Offset 1213, 17 lines modifiedOffset 1213, 17 lines modified
Max diff block lines reached; 3214/9694 bytes (33.15%) of diff not shown.
1.76 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-cpe-oval.xml
1.65 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-cpe-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:29:16</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title>12 ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:product>Google·Chromium·Browser</ns0:product>14 ··········<ns0:product>Google·Chromium·Browser</ns0:product>
129 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-ds.xml
129 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-ds.xml
    
Offset 18, 21 lines modifiedOffset 18, 21 lines modified
18 ····</ds:checklists>18 ····</ds:checklists>
19 ····<ds:checks>19 ····<ds:checks>
20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-oval.xml"/>20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-oval.xml"/>
21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-ocil.xml"/>21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-ocil.xml"/>
22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-cpe-oval.xml"/>22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-chromium-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-chromium-cpe-oval.xml"/>
23 ····</ds:checks>23 ····</ds:checks>
24 ··</ds:data-stream>24 ··</ds:data-stream>
25 ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-oval.xml"·timestamp="2020-07-11T15:39:13">25 ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-oval.xml"·timestamp="2020-07-12T18:46:38">
26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
27 ······<ns0:generator>27 ······<ns0:generator>
28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
30 ········<ns2:schema_version>5.11</ns2:schema_version>30 ········<ns2:schema_version>5.11</ns2:schema_version>
31 ········<ns2:timestamp>2020-07-12T03:29:16</ns2:timestamp>31 ········<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp>
32 ······</ns0:generator>32 ······</ns0:generator>
33 ······<ns0:definitions>33 ······<ns0:definitions>
34 ········<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1">34 ········<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1">
35 ··········<ns0:metadata>35 ··········<ns0:metadata>
36 ············<ns0:title>Blacklist·Extension·Installation</ns0:title>36 ············<ns0:title>Blacklist·Extension·Installation</ns0:title>
37 ············<ns0:affected·family="unix">37 ············<ns0:affected·family="unix">
38 ··············<ns0:platform>Google·Chromium·Browser</ns0:platform>38 ··············<ns0:platform>Google·Chromium·Browser</ns0:platform>
Offset 896, 15 lines modifiedOffset 896, 15 lines modified
896 ········<ns0:external_variable·comment="Expected·search·provider·name"·datatype="string"·id="oval:ssg-var_enable_encrypted_searching:var:1"·version="1"/>896 ········<ns0:external_variable·comment="Expected·search·provider·name"·datatype="string"·id="oval:ssg-var_enable_encrypted_searching:var:1"·version="1"/>
897 ········<ns0:external_variable·comment="Expected·approved·extensions"·datatype="string"·id="oval:ssg-var_extension_whitelist:var:1"·version="1"/>897 ········<ns0:external_variable·comment="Expected·approved·extensions"·datatype="string"·id="oval:ssg-var_extension_whitelist:var:1"·version="1"/>
898 ········<ns0:external_variable·comment="Expected·HTTP·authentication·type"·datatype="string"·id="oval:ssg-var_auth_schema:var:1"·version="1"/>898 ········<ns0:external_variable·comment="Expected·HTTP·authentication·type"·datatype="string"·id="oval:ssg-var_auth_schema:var:1"·version="1"/>
899 ········<ns0:external_variable·comment="Expected·home·page"·datatype="string"·id="oval:ssg-var_trusted_home_page:var:1"·version="1"/>899 ········<ns0:external_variable·comment="Expected·home·page"·datatype="string"·id="oval:ssg-var_trusted_home_page:var:1"·version="1"/>
900 ······</ns0:variables>900 ······</ns0:variables>
901 ····</ns0:oval_definitions>901 ····</ns0:oval_definitions>
902 ··</ds:component>902 ··</ds:component>
903 ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-ocil.xml"·timestamp="2020-07-11T15:39:14">903 ··<ds:component·id="scap_org.open-scap_comp_ssg-chromium-ocil.xml"·timestamp="2020-07-12T18:46:38">
904 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">904 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">
905 ······<ns0:generator>905 ······<ns0:generator>
906 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>906 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
907 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>907 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>
908 ········<ns0:schema_version>2.0</ns0:schema_version>908 ········<ns0:schema_version>2.0</ns0:schema_version>
909 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>909 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
910 ······</ns0:generator>910 ······</ns0:generator>
Offset 995, 18 lines modifiedOffset 995, 18 lines modified
995 ········</ns0:questionnaire>995 ········</ns0:questionnaire>
996 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1">996 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1">
997 ··········<ns0:title>Disable·Saved·Passwords</ns0:title>997 ··········<ns0:title>Disable·Saved·Passwords</ns0:title>
998 ··········<ns0:actions>998 ··········<ns0:actions>
999 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ns0:test_action_ref>999 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ns0:test_action_ref>
1000 ··········</ns0:actions>1000 ··········</ns0:actions>
1001 ········</ns0:questionnaire>1001 ········</ns0:questionnaire>
1002 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1">1002 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1">
1003 ··········<ns0:title>Disable·Metrics·Reporting</ns0:title>1003 ··········<ns0:title>Disable·Popups</ns0:title>
1004 ··········<ns0:actions>1004 ··········<ns0:actions>
1005 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ns0:test_action_ref>1005 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ns0:test_action_ref>
1006 ··········</ns0:actions>1006 ··········</ns0:actions>
1007 ········</ns0:questionnaire>1007 ········</ns0:questionnaire>
1008 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1">1008 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1">
1009 ··········<ns0:title>Disable·Incognito·Mode</ns0:title>1009 ··········<ns0:title>Disable·Incognito·Mode</ns0:title>
1010 ··········<ns0:actions>1010 ··········<ns0:actions>
1011 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ns0:test_action_ref>1011 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ns0:test_action_ref>
1012 ··········</ns0:actions>1012 ··········</ns0:actions>
Offset 1025, 18 lines modifiedOffset 1025, 18 lines modified
1025 ········</ns0:questionnaire>1025 ········</ns0:questionnaire>
1026 ········<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1">1026 ········<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1">
1027 ··········<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title>1027 ··········<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title>
1028 ··········<ns0:actions>1028 ··········<ns0:actions>
1029 ············<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref>1029 ············<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref>
1030 ··········</ns0:actions>1030 ··········</ns0:actions>
1031 ········</ns0:questionnaire>1031 ········</ns0:questionnaire>
1032 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1">1032 ········<ns0:questionnaire·id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1">
1033 ··········<ns0:title>Disable·Use·of·Cleartext·Passwords</ns0:title>1033 ··········<ns0:title>Require·Outdated·Plugins·to·be·Authorized</ns0:title>
1034 ··········<ns0:actions>1034 ··········<ns0:actions>
1035 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1</ns0:test_action_ref>1035 ············<ns0:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ns0:test_action_ref>
1036 ··········</ns0:actions>1036 ··········</ns0:actions>
1037 ········</ns0:questionnaire>1037 ········</ns0:questionnaire>
1038 ········<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1">1038 ········<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1">
1039 ··········<ns0:title>Block·Plugins·by·Default</ns0:title>1039 ··········<ns0:title>Block·Plugins·by·Default</ns0:title>
1040 ··········<ns0:actions>1040 ··········<ns0:actions>
1041 ············<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref>1041 ············<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref>
1042 ··········</ns0:actions>1042 ··········</ns0:actions>
Offset 1073, 30 lines modifiedOffset 1073, 30 lines modified
1073 ········</ns0:questionnaire>1073 ········</ns0:questionnaire>
1074 ········<ns0:questionnaire·id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1">1074 ········<ns0:questionnaire·id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1">
1075 ··········<ns0:title>Prevent·Desktop·Notifications</ns0:title>1075 ··········<ns0:title>Prevent·Desktop·Notifications</ns0:title>
1076 ··········<ns0:actions>1076 ··········<ns0:actions>
1077 ············<ns0:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ns0:test_action_ref>1077 ············<ns0:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ns0:test_action_ref>
1078 ··········</ns0:actions>1078 ··········</ns0:actions>
1079 ········</ns0:questionnaire>1079 ········</ns0:questionnaire>
1080 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1">1080 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_google_sync_ocil:questionnaire:1">
1081 ··········<ns0:title>Disable·Network·Prediction</ns0:title>1081 ··········<ns0:title>Disable·Data·Synchronization·to·Google</ns0:title>
1082 ··········<ns0:actions>1082 ··········<ns0:actions>
1083 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ns0:test_action_ref>1083 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_google_sync_action:testaction:1</ns0:test_action_ref>
1084 ··········</ns0:actions>1084 ··········</ns0:actions>
1085 ········</ns0:questionnaire>1085 ········</ns0:questionnaire>
1086 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1">1086 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1">
1087 ··········<ns0:title>Disable·3rd·Party·Cookies</ns0:title>1087 ··········<ns0:title>Disable·3rd·Party·Cookies</ns0:title>
1088 ··········<ns0:actions>1088 ··········<ns0:actions>
1089 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ns0:test_action_ref>1089 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ns0:test_action_ref>
1090 ··········</ns0:actions>1090 ··········</ns0:actions>
1091 ········</ns0:questionnaire>1091 ········</ns0:questionnaire>
1092 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1">1092 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1">
1093 ··········<ns0:title>Disable·Popups</ns0:title>1093 ··········<ns0:title>Disable·Metrics·Reporting</ns0:title>
1094 ··········<ns0:actions>1094 ··········<ns0:actions>
1095 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ns0:test_action_ref>1095 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ns0:test_action_ref>
1096 ··········</ns0:actions>1096 ··········</ns0:actions>
1097 ········</ns0:questionnaire>1097 ········</ns0:questionnaire>
1098 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1">1098 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1">
1099 ··········<ns0:title>Disable·Insecure·And·Obsolete·Protocol·Schemas</ns0:title>1099 ··········<ns0:title>Disable·Insecure·And·Obsolete·Protocol·Schemas</ns0:title>
1100 ··········<ns0:actions>1100 ··········<ns0:actions>
1101 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ns0:test_action_ref>1101 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ns0:test_action_ref>
1102 ··········</ns0:actions>1102 ··········</ns0:actions>
Offset 1109, 30 lines modifiedOffset 1109, 30 lines modified
1109 ········</ns0:questionnaire>1109 ········</ns0:questionnaire>
1110 ········<ns0:questionnaire·id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1">1110 ········<ns0:questionnaire·id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1">
1111 ··········<ns0:title>Disable·All·Extensions·by·Default</ns0:title>1111 ··········<ns0:title>Disable·All·Extensions·by·Default</ns0:title>
1112 ··········<ns0:actions>1112 ··········<ns0:actions>
1113 ············<ns0:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ns0:test_action_ref>1113 ············<ns0:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ns0:test_action_ref>
1114 ··········</ns0:actions>1114 ··········</ns0:actions>
1115 ········</ns0:questionnaire>1115 ········</ns0:questionnaire>
1116 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_google_sync_ocil:questionnaire:1">1116 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1">
1117 ··········<ns0:title>Disable·Data·Synchronization·to·Google</ns0:title>1117 ··········<ns0:title>Disable·Network·Prediction</ns0:title>
1118 ··········<ns0:actions>1118 ··········<ns0:actions>
1119 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_google_sync_action:testaction:1</ns0:test_action_ref>1119 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ns0:test_action_ref>
1120 ··········</ns0:actions>1120 ··········</ns0:actions>
1121 ········</ns0:questionnaire>1121 ········</ns0:questionnaire>
1122 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1">1122 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1">
1123 ··········<ns0:title>Disable·Cloud·Print·Sharing</ns0:title>1123 ··········<ns0:title>Disable·Cloud·Print·Sharing</ns0:title>
1124 ··········<ns0:actions>1124 ··········<ns0:actions>
1125 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref>1125 ············<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref>
1126 ··········</ns0:actions>1126 ··········</ns0:actions>
1127 ········</ns0:questionnaire>1127 ········</ns0:questionnaire>
1128 ········<ns0:questionnaire·id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1">1128 ········<ns0:questionnaire·id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1">
Max diff block lines reached; 121818/132299 bytes (92.08%) of diff not shown.
20.1 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-ocil.xml
20.0 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-ocil.xml
    
Offset 93, 18 lines modifiedOffset 93, 18 lines modified
93 ····</ns0:questionnaire>93 ····</ns0:questionnaire>
94 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1">94 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_saved_passwords_ocil:questionnaire:1">
95 ······<ns0:title>Disable·Saved·Passwords</ns0:title>95 ······<ns0:title>Disable·Saved·Passwords</ns0:title>
96 ······<ns0:actions>96 ······<ns0:actions>
97 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ns0:test_action_ref>97 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_saved_passwords_action:testaction:1</ns0:test_action_ref>
98 ······</ns0:actions>98 ······</ns0:actions>
99 ····</ns0:questionnaire>99 ····</ns0:questionnaire>
100 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1">100 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1">
101 ······<ns0:title>Disable·Metrics·Reporting</ns0:title>101 ······<ns0:title>Disable·Popups</ns0:title>
102 ······<ns0:actions>102 ······<ns0:actions>
103 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ns0:test_action_ref>103 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ns0:test_action_ref>
104 ······</ns0:actions>104 ······</ns0:actions>
105 ····</ns0:questionnaire>105 ····</ns0:questionnaire>
106 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1">106 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_incognito_mode_ocil:questionnaire:1">
107 ······<ns0:title>Disable·Incognito·Mode</ns0:title>107 ······<ns0:title>Disable·Incognito·Mode</ns0:title>
108 ······<ns0:actions>108 ······<ns0:actions>
109 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ns0:test_action_ref>109 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_incognito_mode_action:testaction:1</ns0:test_action_ref>
110 ······</ns0:actions>110 ······</ns0:actions>
Offset 123, 18 lines modifiedOffset 123, 18 lines modified
123 ····</ns0:questionnaire>123 ····</ns0:questionnaire>
124 ····<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1">124 ····<ns0:questionnaire·id="ocil:ssg-chromium_enable_safe_browsing_ocil:questionnaire:1">
125 ······<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title>125 ······<ns0:title>Enable·the·Safe·Browsing·Feature</ns0:title>
126 ······<ns0:actions>126 ······<ns0:actions>
127 ········<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref>127 ········<ns0:test_action_ref>ocil:ssg-chromium_enable_safe_browsing_action:testaction:1</ns0:test_action_ref>
128 ······</ns0:actions>128 ······</ns0:actions>
129 ····</ns0:questionnaire>129 ····</ns0:questionnaire>
130 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1">130 ····<ns0:questionnaire·id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1">
131 ······<ns0:title>Disable·Use·of·Cleartext·Passwords</ns0:title>131 ······<ns0:title>Require·Outdated·Plugins·to·be·Authorized</ns0:title>
132 ······<ns0:actions>132 ······<ns0:actions>
133 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1</ns0:test_action_ref>133 ········<ns0:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ns0:test_action_ref>
134 ······</ns0:actions>134 ······</ns0:actions>
135 ····</ns0:questionnaire>135 ····</ns0:questionnaire>
136 ····<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1">136 ····<ns0:questionnaire·id="ocil:ssg-chromium_default_block_plugins_ocil:questionnaire:1">
137 ······<ns0:title>Block·Plugins·by·Default</ns0:title>137 ······<ns0:title>Block·Plugins·by·Default</ns0:title>
138 ······<ns0:actions>138 ······<ns0:actions>
139 ········<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref>139 ········<ns0:test_action_ref>ocil:ssg-chromium_default_block_plugins_action:testaction:1</ns0:test_action_ref>
140 ······</ns0:actions>140 ······</ns0:actions>
Offset 171, 30 lines modifiedOffset 171, 30 lines modified
171 ····</ns0:questionnaire>171 ····</ns0:questionnaire>
172 ····<ns0:questionnaire·id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1">172 ····<ns0:questionnaire·id="ocil:ssg-chromium_block_desktop_notifications_ocil:questionnaire:1">
173 ······<ns0:title>Prevent·Desktop·Notifications</ns0:title>173 ······<ns0:title>Prevent·Desktop·Notifications</ns0:title>
174 ······<ns0:actions>174 ······<ns0:actions>
175 ········<ns0:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ns0:test_action_ref>175 ········<ns0:test_action_ref>ocil:ssg-chromium_block_desktop_notifications_action:testaction:1</ns0:test_action_ref>
176 ······</ns0:actions>176 ······</ns0:actions>
177 ····</ns0:questionnaire>177 ····</ns0:questionnaire>
178 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1">178 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_google_sync_ocil:questionnaire:1">
179 ······<ns0:title>Disable·Network·Prediction</ns0:title>179 ······<ns0:title>Disable·Data·Synchronization·to·Google</ns0:title>
180 ······<ns0:actions>180 ······<ns0:actions>
181 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ns0:test_action_ref>181 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_google_sync_action:testaction:1</ns0:test_action_ref>
182 ······</ns0:actions>182 ······</ns0:actions>
183 ····</ns0:questionnaire>183 ····</ns0:questionnaire>
184 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1">184 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_thirdparty_cookies_ocil:questionnaire:1">
185 ······<ns0:title>Disable·3rd·Party·Cookies</ns0:title>185 ······<ns0:title>Disable·3rd·Party·Cookies</ns0:title>
186 ······<ns0:actions>186 ······<ns0:actions>
187 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ns0:test_action_ref>187 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_thirdparty_cookies_action:testaction:1</ns0:test_action_ref>
188 ······</ns0:actions>188 ······</ns0:actions>
189 ····</ns0:questionnaire>189 ····</ns0:questionnaire>
190 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_popups_ocil:questionnaire:1">190 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_metrics_reporting_ocil:questionnaire:1">
191 ······<ns0:title>Disable·Popups</ns0:title>191 ······<ns0:title>Disable·Metrics·Reporting</ns0:title>
192 ······<ns0:actions>192 ······<ns0:actions>
193 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_popups_action:testaction:1</ns0:test_action_ref>193 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1</ns0:test_action_ref>
194 ······</ns0:actions>194 ······</ns0:actions>
195 ····</ns0:questionnaire>195 ····</ns0:questionnaire>
196 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1">196 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_protocol_schemas_ocil:questionnaire:1">
197 ······<ns0:title>Disable·Insecure·And·Obsolete·Protocol·Schemas</ns0:title>197 ······<ns0:title>Disable·Insecure·And·Obsolete·Protocol·Schemas</ns0:title>
198 ······<ns0:actions>198 ······<ns0:actions>
199 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ns0:test_action_ref>199 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_protocol_schemas_action:testaction:1</ns0:test_action_ref>
200 ······</ns0:actions>200 ······</ns0:actions>
Offset 207, 30 lines modifiedOffset 207, 30 lines modified
207 ····</ns0:questionnaire>207 ····</ns0:questionnaire>
208 ····<ns0:questionnaire·id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1">208 ····<ns0:questionnaire·id="ocil:ssg-chromium_blacklist_extension_installation_ocil:questionnaire:1">
209 ······<ns0:title>Disable·All·Extensions·by·Default</ns0:title>209 ······<ns0:title>Disable·All·Extensions·by·Default</ns0:title>
210 ······<ns0:actions>210 ······<ns0:actions>
211 ········<ns0:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ns0:test_action_ref>211 ········<ns0:test_action_ref>ocil:ssg-chromium_blacklist_extension_installation_action:testaction:1</ns0:test_action_ref>
212 ······</ns0:actions>212 ······</ns0:actions>
213 ····</ns0:questionnaire>213 ····</ns0:questionnaire>
214 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_google_sync_ocil:questionnaire:1">214 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_network_prediction_ocil:questionnaire:1">
215 ······<ns0:title>Disable·Data·Synchronization·to·Google</ns0:title>215 ······<ns0:title>Disable·Network·Prediction</ns0:title>
216 ······<ns0:actions>216 ······<ns0:actions>
217 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_google_sync_action:testaction:1</ns0:test_action_ref>217 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_network_prediction_action:testaction:1</ns0:test_action_ref>
218 ······</ns0:actions>218 ······</ns0:actions>
219 ····</ns0:questionnaire>219 ····</ns0:questionnaire>
220 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1">220 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cloud_print_sharing_ocil:questionnaire:1">
221 ······<ns0:title>Disable·Cloud·Print·Sharing</ns0:title>221 ······<ns0:title>Disable·Cloud·Print·Sharing</ns0:title>
222 ······<ns0:actions>222 ······<ns0:actions>
223 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref>223 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cloud_print_sharing_action:testaction:1</ns0:test_action_ref>
224 ······</ns0:actions>224 ······</ns0:actions>
225 ····</ns0:questionnaire>225 ····</ns0:questionnaire>
226 ····<ns0:questionnaire·id="ocil:ssg-chromium_plugins_require_authorization_ocil:questionnaire:1">226 ····<ns0:questionnaire·id="ocil:ssg-chromium_disable_cleartext_passwords_ocil:questionnaire:1">
227 ······<ns0:title>Require·Outdated·Plugins·to·be·Authorized</ns0:title>227 ······<ns0:title>Disable·Use·of·Cleartext·Passwords</ns0:title>
228 ······<ns0:actions>228 ······<ns0:actions>
229 ········<ns0:test_action_ref>ocil:ssg-chromium_plugins_require_authorization_action:testaction:1</ns0:test_action_ref>229 ········<ns0:test_action_ref>ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1</ns0:test_action_ref>
230 ······</ns0:actions>230 ······</ns0:actions>
231 ····</ns0:questionnaire>231 ····</ns0:questionnaire>
232 ··</ns0:questionnaires>232 ··</ns0:questionnaires>
233 ··<ns0:test_actions>233 ··<ns0:test_actions>
234 ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1">234 ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_session_cookies_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_session_cookies_question:question:1">
235 ······<ns0:when_true>235 ······<ns0:when_true>
236 ········<ns0:result>PASS</ns0:result>236 ········<ns0:result>PASS</ns0:result>
Offset 347, 15 lines modifiedOffset 347, 15 lines modified
347 ······<ns0:when_true>347 ······<ns0:when_true>
348 ········<ns0:result>PASS</ns0:result>348 ········<ns0:result>PASS</ns0:result>
349 ······</ns0:when_true>349 ······</ns0:when_true>
350 ······<ns0:when_false>350 ······<ns0:when_false>
351 ········<ns0:result>FAIL</ns0:result>351 ········<ns0:result>FAIL</ns0:result>
352 ······</ns0:when_false>352 ······</ns0:when_false>
353 ····</ns0:boolean_question_test_action>353 ····</ns0:boolean_question_test_action>
354 ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_metrics_reporting_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_metrics_reporting_question:question:1">354 ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_popups_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_popups_question:question:1">
355 ······<ns0:when_true>355 ······<ns0:when_true>
356 ········<ns0:result>PASS</ns0:result>356 ········<ns0:result>PASS</ns0:result>
357 ······</ns0:when_true>357 ······</ns0:when_true>
358 ······<ns0:when_false>358 ······<ns0:when_false>
359 ········<ns0:result>FAIL</ns0:result>359 ········<ns0:result>FAIL</ns0:result>
360 ······</ns0:when_false>360 ······</ns0:when_false>
361 ····</ns0:boolean_question_test_action>361 ····</ns0:boolean_question_test_action>
Offset 387, 15 lines modifiedOffset 387, 15 lines modified
387 ······<ns0:when_true>387 ······<ns0:when_true>
388 ········<ns0:result>PASS</ns0:result>388 ········<ns0:result>PASS</ns0:result>
389 ······</ns0:when_true>389 ······</ns0:when_true>
390 ······<ns0:when_false>390 ······<ns0:when_false>
391 ········<ns0:result>FAIL</ns0:result>391 ········<ns0:result>FAIL</ns0:result>
392 ······</ns0:when_false>392 ······</ns0:when_false>
393 ····</ns0:boolean_question_test_action>393 ····</ns0:boolean_question_test_action>
394 ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_disable_cleartext_passwords_action:testaction:1"·question_ref="ocil:ssg-chromium_disable_cleartext_passwords_question:question:1">394 ····<ns0:boolean_question_test_action·id="ocil:ssg-chromium_plugins_require_authorization_action:testaction:1"·question_ref="ocil:ssg-chromium_plugins_require_authorization_question:question:1">
395 ······<ns0:when_true>395 ······<ns0:when_true>
396 ········<ns0:result>PASS</ns0:result>396 ········<ns0:result>PASS</ns0:result>
397 ······</ns0:when_true>397 ······</ns0:when_true>
Max diff block lines reached; 11720/20354 bytes (57.58%) of diff not shown.
1.73 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-oval.xml
1.63 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:29:16</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1">10 ····<ns0:definition·class="compliance"·id="oval:ssg-chromium_blacklist_extension_installation:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Blacklist·Extension·Installation</ns0:title>12 ········<ns0:title>Blacklist·Extension·Installation</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:platform>Google·Chromium·Browser</ns0:platform>14 ··········<ns0:platform>Google·Chromium·Browser</ns0:platform>
103 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-xccdf.xml
103 KB
./usr/share/xml/scap/ssg/content/ssg-chromium-xccdf.xml
    
Offset 222, 219 lines modifiedOffset 222, 14 lines modified
222 ····<refine-value·idref="var_extension_whitelist"·selector="none"/>222 ····<refine-value·idref="var_extension_whitelist"·selector="none"/>
223 ····<refine-value·idref="var_auth_schema"·selector="negotiate"/>223 ····<refine-value·idref="var_auth_schema"·selector="negotiate"/>
224 ····<refine-value·idref="var_trusted_home_page"·selector="blank"/>224 ····<refine-value·idref="var_trusted_home_page"·selector="blank"/>
225 ··</Profile>225 ··</Profile>
226 ··<Group·id="remediation_functions">226 ··<Group·id="remediation_functions">
227 ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title>227 ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title>
228 ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description>228 ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description>
229 ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> 
230 ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> 
231 ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> 
232 ······<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: 
233 #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements 
234 #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect 
235 #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules 
236 # 
237 #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: 
238 #·*·audit·tool»    »    »    »    tool·used·to·load·audit·rules, 
239 #·»      »      »      »      »      either·'auditctl',·or·'augenrules' 
240 #·*·path························» value·of·-w·audit·rule's·argument 
241 #·*·required·access·bits········»   value·of·-p·audit·rule's·argument 
242 #·*·key·························»  value·of·-k·audit·rule's·argument 
243 # 
244 #·Example·call: 
245 # 
246 #·······fix_audit_watch_rule·&quot;auditctl&quot;·&quot;/etc/localtime&quot;·&quot;wa&quot;·&quot;audit_time_rules&quot; 
247 # 
248 function·fix_audit_watch_rule·{ 
  
249 #·Load·function·arguments·into·local·variables 
250 local·tool=&quot;$1&quot; 
251 local·path=&quot;$2&quot; 
252 local·required_access_bits=&quot;$3&quot; 
253 local·key=&quot;$4&quot; 
  
254 #·Check·sanity·of·the·input 
255 if·[·$#·-ne·&quot;4&quot;·] 
256 then 
257 »       echo·&quot;Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'&quot; 
258 »       echo·&quot;Aborting.&quot; 
259 »       exit·1 
260 fi 
  
261 #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness 
262 #·of·a·particular·audit·rule.·The·scheme·is·as·follows: 
263 # 
264 #·----------------------------------------------------------------------------------------- 
265 #·Tool·used·to·load·audit·rules»      |·Rule·already·defined»   |··Audit·rules·file·to·inspect»   ··| 
266 #·----------------------------------------------------------------------------------------- 
267 #»      auditctl»      »      |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| 
268 #·----------------------------------------------------------------------------------------- 
269 #·»      augenrules»    »    |··········Yes»»|··/etc/audit/rules.d/*.rules»     ··| 
270 #·»      augenrules»    »    |··········No» » |··/etc/audit/rules.d/$key.rules··| 
271 #·----------------------------------------------------------------------------------------- 
272 declare·-a·files_to_inspect 
  
273 #·Check·sanity·of·the·specified·audit·tool 
274 if·[·&quot;$tool&quot;·!=·'auditctl'·]·&amp;&amp;·[·&quot;$tool&quot;·!=·'augenrules'·] 
275 then 
276 »       echo·&quot;Unknown·audit·rules·loading·tool:·$1.·Aborting.&quot; 
277 »       echo·&quot;Use·either·'auditctl'·or·'augenrules'!&quot; 
278 »       exit·1 
279 #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' 
280 #·into·the·list·of·files·to·be·inspected 
281 elif·[·&quot;$tool&quot;·==·'auditctl'·] 
282 then 
283 »       files_to_inspect=(&quot;${files_to_inspect[@]}&quot;·'/etc/audit/audit.rules') 
284 #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined 
285 #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. 
286 #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. 
287 elif·[·&quot;$tool&quot;·==·'augenrules'·] 
288 then 
289 »       #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file 
290 »       #·Get·pair·--·filepath·:·matching_row·into·@matches·array 
291 »       IFS=$'\n'·matches=($(grep·-P·&quot;[\s]*-w[\s]+$path&quot;·/etc/audit/rules.d/*.rules)) 
292 »       #·Reset·IFS·back·to·default 
293 »       unset·IFS 
294 »       #·For·each·of·the·matched·entries 
295 »       for·match·in·&quot;${matches[@]}&quot; 
296 »       do 
297 »       »       #·Extract·filepath·from·the·match 
298 »       »       rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') 
299 »       »       #·Append·that·path·into·list·of·files·for·inspection 
300 »       »       files_to_inspect=(&quot;${files_to_inspect[@]}&quot;·&quot;$rulesd_audit_file&quot;) 
301 »       done 
302 »       #·Case·when·particular·audit·rule·isn't·defined·yet 
303 »       if·[·${#files_to_inspect[@]}·-eq·&quot;0&quot;·] 
304 »       then 
305 »       »       #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection 
306 »       »       files_to_inspect=&quot;/etc/audit/rules.d/$key.rules&quot; 
307 »       »       #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions 
308 »       »       if·[·!·-e·&quot;$files_to_inspect&quot;·] 
309 »       »       then 
310 »       »       »       touch·&quot;$files_to_inspect&quot; 
311 »       »       »       chmod·0640·&quot;$files_to_inspect&quot; 
312 »       »       fi 
313 »       fi 
314 fi 
  
315 #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule 
316 #·correction·for·each·of·the·files·previously·identified·for·inspection 
317 for·audit_rules_file·in·&quot;${files_to_inspect[@]}&quot; 
318 do 
  
319 »       #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present 
320 »       if·grep·-q·-P·--·&quot;[\s]*-w[\s]+$path&quot;·&quot;$audit_rules_file&quot; 
321 »       then 
322 »       »       #·Rule·is·found·=&gt;·verify·yet·if·existing·rule·definition·contains 
323 »       »       #·all·of·the·required·access·type·bits 
  
324 »       »       #·Escape·slashes·in·path·for·use·in·sed·pattern·below 
325 »       »       local·esc_path=${path//$'/'/$'\/'} 
326 »       »       #·Define·BRE·whitespace·class·shortcut 
327 »       »       local·sp=&quot;[[:space:]]&quot; 
328 »       »       #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule 
329 »       »       current_access_bits=$(sed·-ne·&quot;s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p&quot;·&quot;$audit_rules_file&quot;) 
330 »       »       #·Split·required·access·bits·string·into·characters·array 
331 »       »       #·(to·check·bit's·presence·for·one·bit·at·a·time) 
332 »       »       for·access_bit·in·$(echo·&quot;$required_access_bits&quot;·|·grep·-o·.) 
333 »       »       do 
334 »       »       »       #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check 
335 »       »       »       #·if·they·are·already·present·in·current·access·bits·for·rule. 
336 »       »       »       #·If·not,·append·that·bit·at·the·end 
337 »       »       »       if·!·grep·-q·&quot;$access_bit&quot;·&lt;&lt;&lt;·&quot;$current_access_bits&quot; 
338 »       »       »       then 
339 »       »       »       »       #·Concatenate·the·existing·mask·with·the·missing·bit 
340 »       »       »       »       current_access_bits=&quot;$current_access_bits$access_bit&quot; 
341 »       »       »       fi 
Max diff block lines reached; 94296/104957 bytes (89.84%) of diff not shown.
1.75 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-cpe-oval.xml
1.64 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-cpe-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:29:39</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title>12 ········<ns0:title>Installed·operating·system·is·part·of·the·Unix·family</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:product>Mozilla·Firefox</ns0:product>14 ··········<ns0:product>Mozilla·Firefox</ns0:product>
176 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
176 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-ds.xml
    
Offset 7, 665 lines modifiedOffset 7, 32 lines modified
7 ··········<cat:uri·name="ssg-firefox-cpe-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"/>7 ··········<cat:uri·name="ssg-firefox-cpe-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"/>
8 ········</cat:catalog>8 ········</cat:catalog>
9 ······</ds:component-ref>9 ······</ds:component-ref>
10 ····</ds:dictionaries>10 ····</ds:dictionaries>
11 ····<ds:checklists>11 ····<ds:checklists>
12 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-xccdf-1.2.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-xccdf-1.2.xml">12 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-xccdf-1.2.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-xccdf-1.2.xml">
13 ········<cat:catalog>13 ········<cat:catalog>
14 ··········<cat:uri·name="ssg-firefox-ocil.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-ocil.xml"/> 
15 ··········<cat:uri·name="ssg-firefox-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-oval.xml"/>14 ··········<cat:uri·name="ssg-firefox-oval.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-oval.xml"/>
 15 ··········<cat:uri·name="ssg-firefox-ocil.xml"·uri="#scap_org.open-scap_cref_ssg-firefox-ocil.xml"/>
16 ········</cat:catalog>16 ········</cat:catalog>
17 ······</ds:component-ref>17 ······</ds:component-ref>
18 ····</ds:checklists>18 ····</ds:checklists>
19 ····<ds:checks>19 ····<ds:checks>
20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-ocil.xml"/> 
21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-oval.xml"/>20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-oval.xml"/>
 21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-ocil.xml"/>
22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-cpe-oval.xml"/>22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-firefox-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-firefox-cpe-oval.xml"/>
23 ····</ds:checks>23 ····</ds:checks>
24 ··</ds:data-stream>24 ··</ds:data-stream>
25 ··<ds:component·id="scap_org.open-scap_comp_ssg-firefox-ocil.xml"·timestamp="2020-07-11T15:38:37">25 ··<ds:component·id="scap_org.open-scap_comp_ssg-firefox-oval.xml"·timestamp="2020-07-12T18:44:50">
26 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0"> 
27 ······<ns0:generator> 
28 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name> 
29 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version> 
30 ········<ns0:schema_version>2.0</ns0:schema_version> 
31 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp> 
32 ······</ns0:generator> 
33 ······<ns0:questionnaires> 
34 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1"> 
35 ··········<ns0:title>The·DoD·Root·Certificate·Exists</ns0:title> 
36 ··········<ns0:actions> 
37 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ns0:test_action_ref> 
38 ··········</ns0:actions> 
39 ········</ns0:questionnaire> 
40 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1"> 
41 ··········<ns0:title>Enable·Shared·System·Certificates</ns0:title> 
42 ··········<ns0:actions> 
43 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ns0:test_action_ref> 
44 ··········</ns0:actions> 
45 ········</ns0:questionnaire> 
46 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_user_notice_ocil:questionnaire:1"> 
47 ··········<ns0:title>Disable·User·Prompt·When·Data·Is·Cleared</ns0:title> 
48 ··········<ns0:actions> 
49 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1</ns0:test_action_ref> 
50 ··········</ns0:actions> 
51 ········</ns0:questionnaire> 
52 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_clear_ocil:questionnaire:1"> 
53 ··········<ns0:title>Clear·Data·When·Firefox·Closes</ns0:title> 
54 ··········<ns0:actions> 
55 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_clear_action:testaction:1</ns0:test_action_ref> 
56 ··········</ns0:actions> 
57 ········</ns0:questionnaire> 
58 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_obscure_ocil:questionnaire:1"> 
59 ··········<ns0:title>Disable·Firefox·Configuration·File·ROT-13·Encoding</ns0:title> 
60 ··········<ns0:actions> 
61 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_obscure_action:testaction:1</ns0:test_action_ref> 
62 ··········</ns0:actions> 
63 ········</ns0:questionnaire> 
64 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_config_file_ocil:questionnaire:1"> 
65 ··········<ns0:title>Set·Firefox·Configuration·File·Location</ns0:title> 
66 ··········<ns0:actions> 
67 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1</ns0:test_action_ref> 
68 ··········</ns0:actions> 
69 ········</ns0:questionnaire> 
70 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_protocol_tls_ocil:questionnaire:1"> 
71 ··········<ns0:title>Enable·TLS·Usage·in·Firefox</ns0:title> 
72 ··········<ns0:actions> 
73 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1</ns0:test_action_ref> 
74 ··········</ns0:actions> 
75 ········</ns0:questionnaire> 
76 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-home_page_ocil:questionnaire:1"> 
77 ··········<ns0:title>Default·Firefox·Home·Page·Configured</ns0:title> 
78 ··········<ns0:actions> 
79 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-home_page_action:testaction:1</ns0:test_action_ref> 
80 ··········</ns0:actions> 
81 ········</ns0:questionnaire> 
82 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-shell_protocol_ocil:questionnaire:1"> 
83 ··········<ns0:title>Disable·Firefox·Access·to·Shell·Protocols</ns0:title> 
84 ··········<ns0:actions> 
85 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-shell_protocol_action:testaction:1</ns0:test_action_ref> 
86 ··········</ns0:actions> 
87 ········</ns0:questionnaire> 
88 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-auto-download_actions_ocil:questionnaire:1"> 
89 ··········<ns0:title>Disable·Automatic·Downloads·of·MIME·Types</ns0:title> 
90 ··········<ns0:actions> 
91 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-auto-download_actions_action:testaction:1</ns0:test_action_ref> 
92 ··········</ns0:actions> 
93 ········</ns0:questionnaire> 
94 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-search_update_ocil:questionnaire:1"> 
95 ··········<ns0:title>Disable·Installed·Search·Plugins·Update·Checking</ns0:title> 
96 ··········<ns0:actions> 
97 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-search_update_action:testaction:1</ns0:test_action_ref> 
98 ··········</ns0:actions> 
99 ········</ns0:questionnaire> 
100 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-addons_plugin_updates_ocil:questionnaire:1"> 
101 ··········<ns0:title>Disable·Addons·Plugin·Updates</ns0:title> 
102 ··········<ns0:actions> 
103 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-addons_plugin_updates_action:testaction:1</ns0:test_action_ref> 
104 ··········</ns0:actions> 
105 ········</ns0:questionnaire> 
106 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-open_confirmation_ocil:questionnaire:1"> 
107 ··········<ns0:title>Enable·Downloading·and·Opening·File·Confirmation</ns0:title> 
108 ··········<ns0:actions> 
109 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-open_confirmation_action:testaction:1</ns0:test_action_ref> 
110 ··········</ns0:actions> 
111 ········</ns0:questionnaire> 
112 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_window_resizing_ocil:questionnaire:1"> 
113 ··········<ns0:title>Disable·JavaScript's·Moving·Or·Resizing·Windows·Capability</ns0:title> 
114 ··········<ns0:actions> 
115 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_window_resizing_action:testaction:1</ns0:test_action_ref> 
116 ··········</ns0:actions> 
117 ········</ns0:questionnaire> 
118 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-verification_ocil:questionnaire:1"> 
119 ··········<ns0:title>Enable·Certificate·Verification</ns0:title> 
120 ··········<ns0:actions> 
121 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-verification_action:testaction:1</ns0:test_action_ref> 
122 ··········</ns0:actions> 
123 ········</ns0:questionnaire> 
124 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-pop-up_windows_ocil:questionnaire:1"> 
125 ··········<ns0:title>Enable·Firefox·Pop-up·Blocker</ns0:title> 
126 ··········<ns0:actions> 
127 ············<ns0:test_action_ref>ocil:ssg-firefox_preferences-pop-up_windows_action:testaction:1</ns0:test_action_ref> 
128 ··········</ns0:actions> 
129 ········</ns0:questionnaire> 
130 ········<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_version_2_ocil:questionnaire:1"> 
131 ··········<ns0:title>Disable·SSL·Version·2.0·in·Firefox</ns0:title> 
Max diff block lines reached; 140060/180097 bytes (77.77%) of diff not shown.
17.2 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-ocil.xml
17.1 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-ocil.xml
    
Offset 3, 26 lines modifiedOffset 3, 14 lines modified
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>
6 ····<ns0:schema_version>2.0</ns0:schema_version>6 ····<ns0:schema_version>2.0</ns0:schema_version>
7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:questionnaires>9 ··<ns0:questionnaires>
10 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1"> 
11 ······<ns0:title>The·DoD·Root·Certificate·Exists</ns0:title> 
12 ······<ns0:actions> 
13 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ns0:test_action_ref> 
14 ······</ns0:actions> 
15 ····</ns0:questionnaire> 
16 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1"> 
17 ······<ns0:title>Enable·Shared·System·Certificates</ns0:title> 
18 ······<ns0:actions> 
19 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ns0:test_action_ref> 
20 ······</ns0:actions> 
21 ····</ns0:questionnaire> 
22 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_user_notice_ocil:questionnaire:1">10 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_user_notice_ocil:questionnaire:1">
23 ······<ns0:title>Disable·User·Prompt·When·Data·Is·Cleared</ns0:title>11 ······<ns0:title>Disable·User·Prompt·When·Data·Is·Cleared</ns0:title>
24 ······<ns0:actions>12 ······<ns0:actions>
25 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1</ns0:test_action_ref>13 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1</ns0:test_action_ref>
26 ······</ns0:actions>14 ······</ns0:actions>
27 ····</ns0:questionnaire>15 ····</ns0:questionnaire>
28 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_clear_ocil:questionnaire:1">16 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-cookies_clear_ocil:questionnaire:1">
Offset 39, 14 lines modifiedOffset 27, 26 lines modified
39 ····</ns0:questionnaire>27 ····</ns0:questionnaire>
40 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_config_file_ocil:questionnaire:1">28 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-lock_settings_config_file_ocil:questionnaire:1">
41 ······<ns0:title>Set·Firefox·Configuration·File·Location</ns0:title>29 ······<ns0:title>Set·Firefox·Configuration·File·Location</ns0:title>
42 ······<ns0:actions>30 ······<ns0:actions>
43 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1</ns0:test_action_ref>31 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1</ns0:test_action_ref>
44 ······</ns0:actions>32 ······</ns0:actions>
45 ····</ns0:questionnaire>33 ····</ns0:questionnaire>
 34 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_ocil:questionnaire:1">
 35 ······<ns0:title>The·DoD·Root·Certificate·Exists</ns0:title>
 36 ······<ns0:actions>
 37 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1</ns0:test_action_ref>
 38 ······</ns0:actions>
 39 ····</ns0:questionnaire>
 40 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-enable_ca_trust_ocil:questionnaire:1">
 41 ······<ns0:title>Enable·Shared·System·Certificates</ns0:title>
 42 ······<ns0:actions>
 43 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1</ns0:test_action_ref>
 44 ······</ns0:actions>
 45 ····</ns0:questionnaire>
46 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_protocol_tls_ocil:questionnaire:1">46 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-ssl_protocol_tls_ocil:questionnaire:1">
47 ······<ns0:title>Enable·TLS·Usage·in·Firefox</ns0:title>47 ······<ns0:title>Enable·TLS·Usage·in·Firefox</ns0:title>
48 ······<ns0:actions>48 ······<ns0:actions>
49 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1</ns0:test_action_ref>49 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-ssl_protocol_tls_action:testaction:1</ns0:test_action_ref>
50 ······</ns0:actions>50 ······</ns0:actions>
51 ····</ns0:questionnaire>51 ····</ns0:questionnaire>
52 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-home_page_ocil:questionnaire:1">52 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-home_page_ocil:questionnaire:1">
Offset 123, 18 lines modifiedOffset 123, 18 lines modified
123 ····</ns0:questionnaire>123 ····</ns0:questionnaire>
124 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_window_changes_ocil:questionnaire:1">124 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_window_changes_ocil:questionnaire:1">
125 ······<ns0:title>Disable·JavaScript's·Raise·Or·Lower·Windows·Capability</ns0:title>125 ······<ns0:title>Disable·JavaScript's·Raise·Or·Lower·Windows·Capability</ns0:title>
126 ······<ns0:actions>126 ······<ns0:actions>
127 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_window_changes_action:testaction:1</ns0:test_action_ref>127 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_window_changes_action:testaction:1</ns0:test_action_ref>
128 ······</ns0:actions>128 ······</ns0:actions>
129 ····</ns0:questionnaire>129 ····</ns0:questionnaire>
130 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_context_menus_ocil:questionnaire:1">130 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_status_bar_text_ocil:questionnaire:1">
131 ······<ns0:title>Disable·JavaScript·Context·Menus</ns0:title>131 ······<ns0:title>Disable·JavaScript's·Ability·To·Modify·The·Browser·Appearance</ns0:title>
132 ······<ns0:actions>132 ······<ns0:actions>
133 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_context_menus_action:testaction:1</ns0:test_action_ref>133 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_status_bar_text_action:testaction:1</ns0:test_action_ref>
134 ······</ns0:actions>134 ······</ns0:actions>
135 ····</ns0:questionnaire>135 ····</ns0:questionnaire>
136 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_status_bar_changes_ocil:questionnaire:1">136 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_status_bar_changes_ocil:questionnaire:1">
137 ······<ns0:title>Disable·JavaScript's·Ability·To·Change·The·Status·Bar</ns0:title>137 ······<ns0:title>Disable·JavaScript's·Ability·To·Change·The·Status·Bar</ns0:title>
138 ······<ns0:actions>138 ······<ns0:actions>
139 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_status_bar_changes_action:testaction:1</ns0:test_action_ref>139 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_status_bar_changes_action:testaction:1</ns0:test_action_ref>
140 ······</ns0:actions>140 ······</ns0:actions>
Offset 165, 63 lines modifiedOffset 165, 63 lines modified
165 ····</ns0:questionnaire>165 ····</ns0:questionnaire>
166 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-password_store_ocil:questionnaire:1">166 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-password_store_ocil:questionnaire:1">
167 ······<ns0:title>Disable·the·Firefox·Password·Store</ns0:title>167 ······<ns0:title>Disable·the·Firefox·Password·Store</ns0:title>
168 ······<ns0:actions>168 ······<ns0:actions>
169 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-password_store_action:testaction:1</ns0:test_action_ref>169 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-password_store_action:testaction:1</ns0:test_action_ref>
170 ······</ns0:actions>170 ······</ns0:actions>
171 ····</ns0:questionnaire>171 ····</ns0:questionnaire>
172 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_status_bar_text_ocil:questionnaire:1">172 ····<ns0:questionnaire·id="ocil:ssg-firefox_preferences-javascript_context_menus_ocil:questionnaire:1">
173 ······<ns0:title>Disable·JavaScript's·Ability·To·Modify·The·Browser·Appearance</ns0:title>173 ······<ns0:title>Disable·JavaScript·Context·Menus</ns0:title>
174 ······<ns0:actions>174 ······<ns0:actions>
175 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_status_bar_text_action:testaction:1</ns0:test_action_ref>175 ········<ns0:test_action_ref>ocil:ssg-firefox_preferences-javascript_context_menus_action:testaction:1</ns0:test_action_ref>
176 ······</ns0:actions>176 ······</ns0:actions>
177 ····</ns0:questionnaire>177 ····</ns0:questionnaire>
178 ··</ns0:questionnaires>178 ··</ns0:questionnaires>
179 ··<ns0:test_actions>179 ··<ns0:test_actions>
180 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1">180 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-cookies_user_notice_question:question:1">
181 ······<ns0:when_true>181 ······<ns0:when_true>
182 ········<ns0:result>PASS</ns0:result>182 ········<ns0:result>PASS</ns0:result>
183 ······</ns0:when_true>183 ······</ns0:when_true>
184 ······<ns0:when_false>184 ······<ns0:when_false>
185 ········<ns0:result>FAIL</ns0:result>185 ········<ns0:result>FAIL</ns0:result>
186 ······</ns0:when_false>186 ······</ns0:when_false>
187 ····</ns0:boolean_question_test_action>187 ····</ns0:boolean_question_test_action>
188 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-enable_ca_trust_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-enable_ca_trust_question:question:1">188 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-cookies_clear_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-cookies_clear_question:question:1">
189 ······<ns0:when_true>189 ······<ns0:when_true>
190 ········<ns0:result>PASS</ns0:result>190 ········<ns0:result>PASS</ns0:result>
191 ······</ns0:when_true>191 ······</ns0:when_true>
192 ······<ns0:when_false>192 ······<ns0:when_false>
193 ········<ns0:result>FAIL</ns0:result>193 ········<ns0:result>FAIL</ns0:result>
194 ······</ns0:when_false>194 ······</ns0:when_false>
195 ····</ns0:boolean_question_test_action>195 ····</ns0:boolean_question_test_action>
196 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-cookies_user_notice_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-cookies_user_notice_question:question:1">196 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-lock_settings_obscure_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-lock_settings_obscure_question:question:1">
197 ······<ns0:when_true>197 ······<ns0:when_true>
198 ········<ns0:result>PASS</ns0:result>198 ········<ns0:result>PASS</ns0:result>
199 ······</ns0:when_true>199 ······</ns0:when_true>
200 ······<ns0:when_false>200 ······<ns0:when_false>
201 ········<ns0:result>FAIL</ns0:result>201 ········<ns0:result>FAIL</ns0:result>
202 ······</ns0:when_false>202 ······</ns0:when_false>
203 ····</ns0:boolean_question_test_action>203 ····</ns0:boolean_question_test_action>
204 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-cookies_clear_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-cookies_clear_question:question:1">204 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-lock_settings_config_file_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-lock_settings_config_file_question:question:1">
205 ······<ns0:when_true>205 ······<ns0:when_true>
206 ········<ns0:result>PASS</ns0:result>206 ········<ns0:result>PASS</ns0:result>
207 ······</ns0:when_true>207 ······</ns0:when_true>
208 ······<ns0:when_false>208 ······<ns0:when_false>
209 ········<ns0:result>FAIL</ns0:result>209 ········<ns0:result>FAIL</ns0:result>
210 ······</ns0:when_false>210 ······</ns0:when_false>
211 ····</ns0:boolean_question_test_action>211 ····</ns0:boolean_question_test_action>
212 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-lock_settings_obscure_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-lock_settings_obscure_question:question:1">212 ····<ns0:boolean_question_test_action·id="ocil:ssg-firefox_preferences-dod_root_certificate_installed_action:testaction:1"·question_ref="ocil:ssg-firefox_preferences-dod_root_certificate_installed_question:question:1">
213 ······<ns0:when_true>213 ······<ns0:when_true>
214 ········<ns0:result>PASS</ns0:result>214 ········<ns0:result>PASS</ns0:result>
215 ······</ns0:when_true>215 ······</ns0:when_true>
216 ······<ns0:when_false>216 ······<ns0:when_false>
217 ········<ns0:result>FAIL</ns0:result>217 ········<ns0:result>FAIL</ns0:result>
218 ······</ns0:when_false>218 ······</ns0:when_false>
Max diff block lines reached; 8598/17391 bytes (49.44%) of diff not shown.
1.72 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-oval.xml
1.61 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:29:39</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="compliance"·id="oval:ssg-firefox_preferences-addons_plugin_updates:def:1"·version="1">10 ····<ns0:definition·class="compliance"·id="oval:ssg-firefox_preferences-addons_plugin_updates:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Disable·Addons·Plugin·Updates</ns0:title>12 ········<ns0:title>Disable·Addons·Plugin·Updates</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:platform>Mozilla·Firefox</ns0:platform>14 ··········<ns0:platform>Mozilla·Firefox</ns0:platform>
96.7 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-xccdf.xml
96.6 KB
./usr/share/xml/scap/ssg/content/ssg-firefox-xccdf.xml
    
Offset 209, 219 lines modifiedOffset 209, 14 lines modified
209 ····<select·idref="remediation_functions"·selected="false"/>209 ····<select·idref="remediation_functions"·selected="false"/>
210 ····<refine-value·idref="var_default_home_page"·selector="about_blank"/>210 ····<refine-value·idref="var_default_home_page"·selector="about_blank"/>
211 ····<refine-value·idref="var_required_file_types"·selector="default"/>211 ····<refine-value·idref="var_required_file_types"·selector="default"/>
212 ··</Profile>212 ··</Profile>
213 ··<Group·id="remediation_functions">213 ··<Group·id="remediation_functions">
214 ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title>214 ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title>
215 ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description>215 ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description>
216 ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> 
217 ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> 
218 ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> 
219 ······<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: 
220 #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements 
221 #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect 
222 #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules 
223 # 
224 #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: 
225 #·*·audit·tool»    »    »    »    tool·used·to·load·audit·rules, 
226 #·»      »      »      »      »      either·'auditctl',·or·'augenrules' 
227 #·*·path························» value·of·-w·audit·rule's·argument 
228 #·*·required·access·bits········»   value·of·-p·audit·rule's·argument 
229 #·*·key·························»  value·of·-k·audit·rule's·argument 
230 # 
231 #·Example·call: 
232 # 
233 #·······fix_audit_watch_rule·&quot;auditctl&quot;·&quot;/etc/localtime&quot;·&quot;wa&quot;·&quot;audit_time_rules&quot; 
234 # 
235 function·fix_audit_watch_rule·{ 
  
236 #·Load·function·arguments·into·local·variables 
237 local·tool=&quot;$1&quot; 
238 local·path=&quot;$2&quot; 
239 local·required_access_bits=&quot;$3&quot; 
240 local·key=&quot;$4&quot; 
  
241 #·Check·sanity·of·the·input 
242 if·[·$#·-ne·&quot;4&quot;·] 
243 then 
244 »       echo·&quot;Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'&quot; 
245 »       echo·&quot;Aborting.&quot; 
246 »       exit·1 
247 fi 
  
248 #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness 
249 #·of·a·particular·audit·rule.·The·scheme·is·as·follows: 
250 # 
251 #·----------------------------------------------------------------------------------------- 
252 #·Tool·used·to·load·audit·rules»      |·Rule·already·defined»   |··Audit·rules·file·to·inspect»   ··| 
253 #·----------------------------------------------------------------------------------------- 
254 #»      auditctl»      »      |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| 
255 #·----------------------------------------------------------------------------------------- 
256 #·»      augenrules»    »    |··········Yes»»|··/etc/audit/rules.d/*.rules»     ··| 
257 #·»      augenrules»    »    |··········No» » |··/etc/audit/rules.d/$key.rules··| 
258 #·----------------------------------------------------------------------------------------- 
259 declare·-a·files_to_inspect 
  
260 #·Check·sanity·of·the·specified·audit·tool 
261 if·[·&quot;$tool&quot;·!=·'auditctl'·]·&amp;&amp;·[·&quot;$tool&quot;·!=·'augenrules'·] 
262 then 
263 »       echo·&quot;Unknown·audit·rules·loading·tool:·$1.·Aborting.&quot; 
264 »       echo·&quot;Use·either·'auditctl'·or·'augenrules'!&quot; 
265 »       exit·1 
266 #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' 
267 #·into·the·list·of·files·to·be·inspected 
268 elif·[·&quot;$tool&quot;·==·'auditctl'·] 
269 then 
270 »       files_to_inspect=(&quot;${files_to_inspect[@]}&quot;·'/etc/audit/audit.rules') 
271 #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined 
272 #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. 
273 #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. 
274 elif·[·&quot;$tool&quot;·==·'augenrules'·] 
275 then 
276 »       #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file 
277 »       #·Get·pair·--·filepath·:·matching_row·into·@matches·array 
278 »       IFS=$'\n'·matches=($(grep·-P·&quot;[\s]*-w[\s]+$path&quot;·/etc/audit/rules.d/*.rules)) 
279 »       #·Reset·IFS·back·to·default 
280 »       unset·IFS 
281 »       #·For·each·of·the·matched·entries 
282 »       for·match·in·&quot;${matches[@]}&quot; 
283 »       do 
284 »       »       #·Extract·filepath·from·the·match 
285 »       »       rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') 
286 »       »       #·Append·that·path·into·list·of·files·for·inspection 
287 »       »       files_to_inspect=(&quot;${files_to_inspect[@]}&quot;·&quot;$rulesd_audit_file&quot;) 
288 »       done 
289 »       #·Case·when·particular·audit·rule·isn't·defined·yet 
290 »       if·[·${#files_to_inspect[@]}·-eq·&quot;0&quot;·] 
291 »       then 
292 »       »       #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection 
293 »       »       files_to_inspect=&quot;/etc/audit/rules.d/$key.rules&quot; 
294 »       »       #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions 
295 »       »       if·[·!·-e·&quot;$files_to_inspect&quot;·] 
296 »       »       then 
297 »       »       »       touch·&quot;$files_to_inspect&quot; 
298 »       »       »       chmod·0640·&quot;$files_to_inspect&quot; 
299 »       »       fi 
300 »       fi 
301 fi 
  
302 #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule 
303 #·correction·for·each·of·the·files·previously·identified·for·inspection 
304 for·audit_rules_file·in·&quot;${files_to_inspect[@]}&quot; 
305 do 
  
306 »       #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present 
307 »       if·grep·-q·-P·--·&quot;[\s]*-w[\s]+$path&quot;·&quot;$audit_rules_file&quot; 
308 »       then 
309 »       »       #·Rule·is·found·=&gt;·verify·yet·if·existing·rule·definition·contains 
310 »       »       #·all·of·the·required·access·type·bits 
  
311 »       »       #·Escape·slashes·in·path·for·use·in·sed·pattern·below 
312 »       »       local·esc_path=${path//$'/'/$'\/'} 
313 »       »       #·Define·BRE·whitespace·class·shortcut 
314 »       »       local·sp=&quot;[[:space:]]&quot; 
315 »       »       #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule 
316 »       »       current_access_bits=$(sed·-ne·&quot;s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p&quot;·&quot;$audit_rules_file&quot;) 
317 »       »       #·Split·required·access·bits·string·into·characters·array 
318 »       »       #·(to·check·bit's·presence·for·one·bit·at·a·time) 
319 »       »       for·access_bit·in·$(echo·&quot;$required_access_bits&quot;·|·grep·-o·.) 
320 »       »       do 
321 »       »       »       #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check 
322 »       »       »       #·if·they·are·already·present·in·current·access·bits·for·rule. 
323 »       »       »       #·If·not,·append·that·bit·at·the·end 
324 »       »       »       if·!·grep·-q·&quot;$access_bit&quot;·&lt;&lt;&lt;·&quot;$current_access_bits&quot; 
325 »       »       »       then 
326 »       »       »       »       #·Concatenate·the·existing·mask·with·the·missing·bit 
327 »       »       »       »       current_access_bits=&quot;$current_access_bits$access_bit&quot; 
328 »       »       »       fi 
Max diff block lines reached; 88120/98786 bytes (89.20%) of diff not shown.
1.63 KB
./usr/share/xml/scap/ssg/content/ssg-jre-cpe-oval.xml
1.53 KB
./usr/share/xml/scap/ssg/content/ssg-jre-cpe-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:30:50</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:23:21</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Java·Runtime·Environment</ns0:title>12 ········<ns0:title>Java·Runtime·Environment</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product>14 ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product>
84.3 KB
./usr/share/xml/scap/ssg/content/ssg-jre-ds.xml
84.2 KB
./usr/share/xml/scap/ssg/content/ssg-jre-ds.xml
    
Offset 18, 21 lines modifiedOffset 18, 21 lines modified
18 ····</ds:checklists>18 ····</ds:checklists>
19 ····<ds:checks>19 ····<ds:checks>
20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-oval.xml"/>20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-oval.xml"/>
21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-ocil.xml"/>21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-ocil.xml"/>
22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-cpe-oval.xml"/>22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-jre-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-jre-cpe-oval.xml"/>
23 ····</ds:checks>23 ····</ds:checks>
24 ··</ds:data-stream>24 ··</ds:data-stream>
25 ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-oval.xml"·timestamp="2020-07-11T15:38:58">25 ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-oval.xml"·timestamp="2020-07-12T18:45:47">
26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
27 ······<ns0:generator>27 ······<ns0:generator>
28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
30 ········<ns2:schema_version>5.11</ns2:schema_version>30 ········<ns2:schema_version>5.11</ns2:schema_version>
31 ········<ns2:timestamp>2020-07-12T03:30:50</ns2:timestamp>31 ········<ns2:timestamp>2020-07-12T04:23:21</ns2:timestamp>
32 ······</ns0:generator>32 ······</ns0:generator>
33 ······<ns0:definitions>33 ······<ns0:definitions>
34 ········<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1">34 ········<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1">
35 ··········<ns0:metadata>35 ··········<ns0:metadata>
36 ············<ns0:title>Java·Runtime·Environment</ns0:title>36 ············<ns0:title>Java·Runtime·Environment</ns0:title>
37 ············<ns0:affected·family="unix">37 ············<ns0:affected·family="unix">
38 ··············<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product>38 ··············<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product>
Offset 314, 15 lines modifiedOffset 314, 15 lines modified
314 ········</ns3:rpminfo_state>314 ········</ns3:rpminfo_state>
315 ········<ns3:rpminfo_state·id="oval:ssg-state_ibm_java_rhel:ste:1"·version="1">315 ········<ns3:rpminfo_state·id="oval:ssg-state_ibm_java_rhel:ste:1"·version="1">
316 ··········<ns3:evr·datatype="evr_string"·operation="greater·than·or·equal">.*1.6.0.*</ns3:evr>316 ··········<ns3:evr·datatype="evr_string"·operation="greater·than·or·equal">.*1.6.0.*</ns3:evr>
317 ········</ns3:rpminfo_state>317 ········</ns3:rpminfo_state>
318 ······</ns0:states>318 ······</ns0:states>
319 ····</ns0:oval_definitions>319 ····</ns0:oval_definitions>
320 ··</ds:component>320 ··</ds:component>
321 ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-ocil.xml"·timestamp="2020-07-11T15:38:58">321 ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-ocil.xml"·timestamp="2020-07-12T18:45:47">
322 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">322 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">
323 ······<ns0:generator>323 ······<ns0:generator>
324 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>324 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
325 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>325 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>
326 ········<ns0:schema_version>2.0</ns0:schema_version>326 ········<ns0:schema_version>2.0</ns0:schema_version>
327 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>327 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
328 ······</ns0:generator>328 ······</ns0:generator>
Offset 576, 15 lines modifiedOffset 576, 15 lines modified
576 If·properly·configured,·the·output·should·return:576 If·properly·configured,·the·output·should·return:
577 deployment.security.validation.ocsp=true577 deployment.security.validation.ocsp=true
578 »       »       »       Is·it·the·case·that·it·does·not·exist·or·is·not·configured·properly?</ns0:question_text>578 »       »       »       Is·it·the·case·that·it·does·not·exist·or·is·not·configured·properly?</ns0:question_text>
579 ········</ns0:boolean_question>579 ········</ns0:boolean_question>
580 ······</ns0:questions>580 ······</ns0:questions>
581 ····</ns0:ocil>581 ····</ns0:ocil>
582 ··</ds:component>582 ··</ds:component>
583 ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-xccdf-1.2.xml"·timestamp="2020-07-11T15:39:19">583 ··<ds:component·id="scap_org.open-scap_comp_ssg-jre-xccdf-1.2.xml"·timestamp="2020-07-12T18:47:00">
584 ····<Benchmark·id="xccdf_org.ssgproject.content_benchmark_JRE"·resolved="1"·style="SCAP_1.2"·xml:lang="en-US"·xmlns="http://checklists.nist.gov/xccdf/1.2">584 ····<Benchmark·id="xccdf_org.ssgproject.content_benchmark_JRE"·resolved="1"·style="SCAP_1.2"·xml:lang="en-US"·xmlns="http://checklists.nist.gov/xccdf/1.2">
585 ······<status·date="2018-07-26">draft</status>585 ······<status·date="2018-07-26">draft</status>
586 ······<title·xml:lang="en-US">Guide·to·the·Secure·Configuration·of·Java·Runtime·Environment</title>586 ······<title·xml:lang="en-US">Guide·to·the·Secure·Configuration·of·Java·Runtime·Environment</title>
587 ······<description·xml:lang="en-US">587 ······<description·xml:lang="en-US">
588 ········This·guide·presents·a·catalog·of·security-relevant588 ········This·guide·presents·a·catalog·of·security-relevant
589 configuration·settings·for·Java·Runtime·Environment.·It·is·a·rendering·of589 configuration·settings·for·Java·Runtime·Environment.·It·is·a·rendering·of
590 content·structured·in·the·eXtensible·Configuration·Checklist·Description·Format·(XCCDF)590 content·structured·in·the·eXtensible·Configuration·Checklist·Description·Format·(XCCDF)
Offset 772, 219 lines modifiedOffset 772, 14 lines modified
772 ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_validation_ocsp_locked"·selected="true"/>772 ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_validation_ocsp_locked"·selected="true"/>
773 ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_updated"·selected="true"/>773 ········<select·idref="xccdf_org.ssgproject.content_rule_java_jre_updated"·selected="true"/>
774 ········<select·idref="xccdf_org.ssgproject.content_group_remediation_functions"·selected="false"/>774 ········<select·idref="xccdf_org.ssgproject.content_group_remediation_functions"·selected="false"/>
775 ······</Profile>775 ······</Profile>
776 ······<Group·id="xccdf_org.ssgproject.content_group_remediation_functions">776 ······<Group·id="xccdf_org.ssgproject.content_group_remediation_functions">
777 ········<title·xml:lang="en-US">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title>777 ········<title·xml:lang="en-US">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title>
778 ········<description·xml:lang="en-US">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description>778 ········<description·xml:lang="en-US">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description>
779 ········<Value·hidden="true"·id="xccdf_org.ssgproject.content_value_function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> 
780 ··········<title·xml:lang="en-US">Remediation·function·fix_audit_watch_rule</title> 
781 ··········<description·xml:lang="en-US">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> 
782 ··········<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: 
783 #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements 
784 #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect 
785 #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules 
786 # 
787 #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: 
788 #·*·audit·tool»    »    »    »    tool·used·to·load·audit·rules, 
789 #·»      »      »      »      »      either·'auditctl',·or·'augenrules' 
790 #·*·path························» value·of·-w·audit·rule's·argument 
791 #·*·required·access·bits········»   value·of·-p·audit·rule's·argument 
792 #·*·key·························»  value·of·-k·audit·rule's·argument 
793 # 
794 #·Example·call: 
795 # 
796 #·······fix_audit_watch_rule·&quot;auditctl&quot;·&quot;/etc/localtime&quot;·&quot;wa&quot;·&quot;audit_time_rules&quot; 
797 # 
798 function·fix_audit_watch_rule·{ 
  
799 #·Load·function·arguments·into·local·variables 
800 local·tool=&quot;$1&quot; 
801 local·path=&quot;$2&quot; 
802 local·required_access_bits=&quot;$3&quot; 
803 local·key=&quot;$4&quot; 
  
804 #·Check·sanity·of·the·input 
805 if·[·$#·-ne·&quot;4&quot;·] 
806 then 
807 »       echo·&quot;Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'&quot; 
808 »       echo·&quot;Aborting.&quot; 
809 »       exit·1 
810 fi 
  
811 #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness 
812 #·of·a·particular·audit·rule.·The·scheme·is·as·follows: 
813 # 
814 #·----------------------------------------------------------------------------------------- 
815 #·Tool·used·to·load·audit·rules»      |·Rule·already·defined»   |··Audit·rules·file·to·inspect»   ··| 
816 #·----------------------------------------------------------------------------------------- 
817 #»      auditctl»      »      |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| 
818 #·----------------------------------------------------------------------------------------- 
819 #·»      augenrules»    »    |··········Yes»»|··/etc/audit/rules.d/*.rules»     ··| 
820 #·»      augenrules»    »    |··········No» » |··/etc/audit/rules.d/$key.rules··| 
821 #·----------------------------------------------------------------------------------------- 
822 declare·-a·files_to_inspect 
  
823 #·Check·sanity·of·the·specified·audit·tool 
824 if·[·&quot;$tool&quot;·!=·'auditctl'·]·&amp;&amp;·[·&quot;$tool&quot;·!=·'augenrules'·] 
825 then 
826 »       echo·&quot;Unknown·audit·rules·loading·tool:·$1.·Aborting.&quot; 
827 »       echo·&quot;Use·either·'auditctl'·or·'augenrules'!&quot; 
828 »       exit·1 
829 #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' 
830 #·into·the·list·of·files·to·be·inspected 
831 elif·[·&quot;$tool&quot;·==·'auditctl'·] 
832 then 
833 »       files_to_inspect=(&quot;${files_to_inspect[@]}&quot;·'/etc/audit/audit.rules') 
834 #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined 
835 #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. 
836 #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. 
837 elif·[·&quot;$tool&quot;·==·'augenrules'·] 
838 then 
839 »       #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file 
840 »       #·Get·pair·--·filepath·:·matching_row·into·@matches·array 
Max diff block lines reached; 71126/86087 bytes (82.62%) of diff not shown.
1.75 KB
./usr/share/xml/scap/ssg/content/ssg-jre-oval.xml
1.66 KB
./usr/share/xml/scap/ssg/content/ssg-jre-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:30:50</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:23:21</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_app_is_java:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Java·Runtime·Environment</ns0:title>12 ········<ns0:title>Java·Runtime·Environment</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product>14 ··········<ns0:product>Java·Runtime·Environment·(JRE)</ns0:product>
77.6 KB
./usr/share/xml/scap/ssg/content/ssg-jre-xccdf.xml
77.5 KB
./usr/share/xml/scap/ssg/content/ssg-jre-xccdf.xml
    
Offset 190, 219 lines modifiedOffset 190, 14 lines modified
190 ····<select·idref="java_jre_validation_ocsp_locked"·selected="true"/>190 ····<select·idref="java_jre_validation_ocsp_locked"·selected="true"/>
191 ····<select·idref="java_jre_updated"·selected="true"/>191 ····<select·idref="java_jre_updated"·selected="true"/>
192 ····<select·idref="remediation_functions"·selected="false"/>192 ····<select·idref="remediation_functions"·selected="false"/>
193 ··</Profile>193 ··</Profile>
194 ··<Group·id="remediation_functions">194 ··<Group·id="remediation_functions">
195 ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title>195 ····<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</title>
196 ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description>196 ····<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</description>
197 ····<Value·hidden="true"·id="function_fix_audit_watch_rule"·operator="equals"·prohibitChanges="true"·type="string"> 
198 ······<title·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Remediation·function·fix_audit_watch_rule</title> 
199 ······<description·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Shared·bash·remediation·function.·Not·intended·to·be·changed·by·tailoring.</description> 
200 ······<value>#·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: 
201 #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements 
202 #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect 
203 #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules 
204 # 
205 #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: 
206 #·*·audit·tool»    »    »    »    tool·used·to·load·audit·rules, 
207 #·»      »      »      »      »      either·'auditctl',·or·'augenrules' 
208 #·*·path························» value·of·-w·audit·rule's·argument 
209 #·*·required·access·bits········»   value·of·-p·audit·rule's·argument 
210 #·*·key·························»  value·of·-k·audit·rule's·argument 
211 # 
212 #·Example·call: 
213 # 
214 #·······fix_audit_watch_rule·&quot;auditctl&quot;·&quot;/etc/localtime&quot;·&quot;wa&quot;·&quot;audit_time_rules&quot; 
215 # 
216 function·fix_audit_watch_rule·{ 
  
217 #·Load·function·arguments·into·local·variables 
218 local·tool=&quot;$1&quot; 
219 local·path=&quot;$2&quot; 
220 local·required_access_bits=&quot;$3&quot; 
221 local·key=&quot;$4&quot; 
  
222 #·Check·sanity·of·the·input 
223 if·[·$#·-ne·&quot;4&quot;·] 
224 then 
225 »       echo·&quot;Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'&quot; 
226 »       echo·&quot;Aborting.&quot; 
227 »       exit·1 
228 fi 
  
229 #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness 
230 #·of·a·particular·audit·rule.·The·scheme·is·as·follows: 
231 # 
232 #·----------------------------------------------------------------------------------------- 
233 #·Tool·used·to·load·audit·rules»      |·Rule·already·defined»   |··Audit·rules·file·to·inspect»   ··| 
234 #·----------------------------------------------------------------------------------------- 
235 #»      auditctl»      »      |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| 
236 #·----------------------------------------------------------------------------------------- 
237 #·»      augenrules»    »    |··········Yes»»|··/etc/audit/rules.d/*.rules»     ··| 
238 #·»      augenrules»    »    |··········No» » |··/etc/audit/rules.d/$key.rules··| 
239 #·----------------------------------------------------------------------------------------- 
240 declare·-a·files_to_inspect 
  
241 #·Check·sanity·of·the·specified·audit·tool 
242 if·[·&quot;$tool&quot;·!=·'auditctl'·]·&amp;&amp;·[·&quot;$tool&quot;·!=·'augenrules'·] 
243 then 
244 »       echo·&quot;Unknown·audit·rules·loading·tool:·$1.·Aborting.&quot; 
245 »       echo·&quot;Use·either·'auditctl'·or·'augenrules'!&quot; 
246 »       exit·1 
247 #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' 
248 #·into·the·list·of·files·to·be·inspected 
249 elif·[·&quot;$tool&quot;·==·'auditctl'·] 
250 then 
251 »       files_to_inspect=(&quot;${files_to_inspect[@]}&quot;·'/etc/audit/audit.rules') 
252 #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined 
253 #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. 
254 #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. 
255 elif·[·&quot;$tool&quot;·==·'augenrules'·] 
256 then 
257 »       #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file 
258 »       #·Get·pair·--·filepath·:·matching_row·into·@matches·array 
259 »       IFS=$'\n'·matches=($(grep·-P·&quot;[\s]*-w[\s]+$path&quot;·/etc/audit/rules.d/*.rules)) 
260 »       #·Reset·IFS·back·to·default 
261 »       unset·IFS 
262 »       #·For·each·of·the·matched·entries 
263 »       for·match·in·&quot;${matches[@]}&quot; 
264 »       do 
265 »       »       #·Extract·filepath·from·the·match 
266 »       »       rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') 
267 »       »       #·Append·that·path·into·list·of·files·for·inspection 
268 »       »       files_to_inspect=(&quot;${files_to_inspect[@]}&quot;·&quot;$rulesd_audit_file&quot;) 
269 »       done 
270 »       #·Case·when·particular·audit·rule·isn't·defined·yet 
271 »       if·[·${#files_to_inspect[@]}·-eq·&quot;0&quot;·] 
272 »       then 
273 »       »       #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection 
274 »       »       files_to_inspect=&quot;/etc/audit/rules.d/$key.rules&quot; 
275 »       »       #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions 
276 »       »       if·[·!·-e·&quot;$files_to_inspect&quot;·] 
277 »       »       then 
278 »       »       »       touch·&quot;$files_to_inspect&quot; 
279 »       »       »       chmod·0640·&quot;$files_to_inspect&quot; 
280 »       »       fi 
281 »       fi 
282 fi 
  
283 #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule 
284 #·correction·for·each·of·the·files·previously·identified·for·inspection 
285 for·audit_rules_file·in·&quot;${files_to_inspect[@]}&quot; 
286 do 
  
287 »       #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present 
288 »       if·grep·-q·-P·--·&quot;[\s]*-w[\s]+$path&quot;·&quot;$audit_rules_file&quot; 
289 »       then 
290 »       »       #·Rule·is·found·=&gt;·verify·yet·if·existing·rule·definition·contains 
291 »       »       #·all·of·the·required·access·type·bits 
  
292 »       »       #·Escape·slashes·in·path·for·use·in·sed·pattern·below 
293 »       »       local·esc_path=${path//$'/'/$'\/'} 
294 »       »       #·Define·BRE·whitespace·class·shortcut 
295 »       »       local·sp=&quot;[[:space:]]&quot; 
296 »       »       #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule 
297 »       »       current_access_bits=$(sed·-ne·&quot;s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p&quot;·&quot;$audit_rules_file&quot;) 
298 »       »       #·Split·required·access·bits·string·into·characters·array 
299 »       »       #·(to·check·bit's·presence·for·one·bit·at·a·time) 
300 »       »       for·access_bit·in·$(echo·&quot;$required_access_bits&quot;·|·grep·-o·.) 
301 »       »       do 
302 »       »       »       #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check 
303 »       »       »       #·if·they·are·already·present·in·current·access·bits·for·rule. 
304 »       »       »       #·If·not,·append·that·bit·at·the·end 
305 »       »       »       if·!·grep·-q·&quot;$access_bit&quot;·&lt;&lt;&lt;·&quot;$current_access_bits&quot; 
306 »       »       »       then 
307 »       »       »       »       #·Concatenate·the·existing·mask·with·the·missing·bit 
308 »       »       »       »       current_access_bits=&quot;$current_access_bits$access_bit&quot; 
309 »       »       »       fi 
Max diff block lines reached; 68628/79275 bytes (86.57%) of diff not shown.
1.3 MB
ssg-debderived_0.1.39-2_all.deb
367 B
file list
    
Offset 1, 3 lines modifiedOffset 1, 3 lines modified
1 -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary1 -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary
2 -rw-r--r--···0········0········0·····2108·2018-07-26·14:58:28.000000·control.tar.xz2 -rw-r--r--···0········0········0·····2108·2018-07-26·14:58:28.000000·control.tar.xz
3 -rw-r--r--···0········0········0···165132·2018-07-26·14:58:28.000000·data.tar.xz3 -rw-r--r--···0········0········0···165108·2018-07-26·14:58:28.000000·data.tar.xz
98.0 B
control.tar.xz
70.0 B
control.tar
48.0 B
./md5sums
30.0 B
./md5sums
Files differ
1.3 MB
data.tar.xz
1.3 MB
data.tar
68.0 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1404-guide-anssi_np_nt28_average.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 185, 44 lines modifiedOffset 185, 44 lines modified
185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
186 class·remove_telnetd-ssl·{186 class·remove_telnetd-ssl·{
187 ··package·{·'telnetd-ssl':187 ··package·{·'telnetd-ssl':
188 ····ensure·=&gt;·'purged',188 ····ensure·=&gt;·'purged',
189 ··}189 ··}
190 }190 }
191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
196 #»      ···from·the·system,·and·may·remove·any·packages196 #»      ···from·the·system,·and·may·remove·any·packages
197 #»      ···that·depend·on·telnetd.·Execute·this197 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
198 #»      ···remediation·AFTER·testing·on·a·non-production198 #»      ···remediation·AFTER·testing·on·a·non-production
199 #»      ···system!199 #»      ···system!
  
200 apt-get·remove·--purge·telnetd200 apt-get·remove·--purge·inetutils-telnetd
201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
202 ··package:202 ··package:
203 ····name="{{item}}"203 ····name="{{item}}"
204 ····state=absent204 ····state=absent
205 ··with_items:205 ··with_items:
206 ····-·telnetd206 ····-·inetutils-telnetd
207 ··tags:207 ··tags:
208 ····-·package_telnetd_removed208 ····-·package_inetutils-telnetd_removed
209 ····-·high_severity209 ····-·high_severity
210 ····-·disable_strategy210 ····-·disable_strategy
211 ····-·low_complexity211 ····-·low_complexity
212 ····-·low_disruption212 ····-·low_disruption
213 ····-·CCE-213 ····-·CCE-
214 ····-·NIST-800-53-AC-17(8)214 ····-·NIST-800-53-AC-17(8)
215 ····-·NIST-800-53-CM-7215 ····-·NIST-800-53-CM-7
216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
217 class·remove_telnetd·{217 class·remove_inetutils-telnetd·{
218 ··package·{·'telnetd':218 ··package·{·'inetutils-telnetd':
219 ····ensure·=&gt;·'purged',219 ····ensure·=&gt;·'purged',
220 ··}220 ··}
221 }221 }
222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service
225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 269, 26 lines modifiedOffset 269, 23 lines modified
269 verified·by·ensuring·that·the·following269 verified·by·ensuring·that·the·following
270 line·appears:270 line·appears:
271 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that271 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that
272 result·in·security·vulnerabilities·and272 result·in·security·vulnerabilities·and
273 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 273 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
274 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 274 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
275 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 275 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
276 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords276 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
277 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with277 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
278 empty·passwords,·add·or·correct·the·following·line·in278 edit·<code>/etc/ssh/sshd_config</code>·as
279 <code>/etc/ssh/sshd_config</code>:279 follows:
280 <pre>PermitEmptyPasswords·no</pre>280 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
281 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration281 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
282 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that282 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
283 remote·login·via·SSH·will·require·a·password, 
284 even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
285 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
286 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 283 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
287 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5041"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval284 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
288 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.285 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.
289 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.286 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.
Max diff block lines reached; 38991/69435 bytes (56.15%) of diff not shown.
72.4 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1404-guide-anssi_np_nt28_high.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·37·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·37·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 185, 44 lines modifiedOffset 185, 44 lines modified
185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
186 class·remove_telnetd-ssl·{186 class·remove_telnetd-ssl·{
187 ··package·{·'telnetd-ssl':187 ··package·{·'telnetd-ssl':
188 ····ensure·=&gt;·'purged',188 ····ensure·=&gt;·'purged',
189 ··}189 ··}
190 }190 }
191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
196 #»      ···from·the·system,·and·may·remove·any·packages196 #»      ···from·the·system,·and·may·remove·any·packages
197 #»      ···that·depend·on·telnetd.·Execute·this197 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
198 #»      ···remediation·AFTER·testing·on·a·non-production198 #»      ···remediation·AFTER·testing·on·a·non-production
199 #»      ···system!199 #»      ···system!
  
200 apt-get·remove·--purge·telnetd200 apt-get·remove·--purge·inetutils-telnetd
201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
202 ··package:202 ··package:
203 ····name="{{item}}"203 ····name="{{item}}"
204 ····state=absent204 ····state=absent
205 ··with_items:205 ··with_items:
206 ····-·telnetd206 ····-·inetutils-telnetd
207 ··tags:207 ··tags:
208 ····-·package_telnetd_removed208 ····-·package_inetutils-telnetd_removed
209 ····-·high_severity209 ····-·high_severity
210 ····-·disable_strategy210 ····-·disable_strategy
211 ····-·low_complexity211 ····-·low_complexity
212 ····-·low_disruption212 ····-·low_disruption
213 ····-·CCE-213 ····-·CCE-
214 ····-·NIST-800-53-AC-17(8)214 ····-·NIST-800-53-AC-17(8)
215 ····-·NIST-800-53-CM-7215 ····-·NIST-800-53-CM-7
216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
217 class·remove_telnetd·{217 class·remove_inetutils-telnetd·{
218 ··package·{·'telnetd':218 ··package·{·'inetutils-telnetd':
219 ····ensure·=&gt;·'purged',219 ····ensure·=&gt;·'purged',
220 ··}220 ··}
221 }221 }
222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service
225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 363, 26 lines modifiedOffset 363, 23 lines modified
363 verified·by·ensuring·that·the·following363 verified·by·ensuring·that·the·following
364 line·appears:364 line·appears:
365 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that365 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that
366 result·in·security·vulnerabilities·and366 result·in·security·vulnerabilities·and
367 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 367 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
368 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 368 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
369 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 369 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
370 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords370 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
371 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with371 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
372 empty·passwords,·add·or·correct·the·following·line·in372 edit·<code>/etc/ssh/sshd_config</code>·as
373 <code>/etc/ssh/sshd_config</code>:373 follows:
374 <pre>PermitEmptyPasswords·no</pre>374 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
375 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration375 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
376 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that376 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
377 remote·login·via·SSH·will·require·a·password, 
378 even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
379 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
380 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 377 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
381 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5041"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval378 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
382 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.379 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.
383 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.380 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.
Max diff block lines reached; 43389/74020 bytes (58.62%) of diff not shown.
24.8 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1404-guide-anssi_np_nt28_minimal.html
    
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4858"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4858"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
Offset 155, 44 lines modifiedOffset 155, 44 lines modified
155 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl155 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
156 class·remove_telnetd-ssl·{156 class·remove_telnetd-ssl·{
157 ··package·{·'telnetd-ssl':157 ··package·{·'telnetd-ssl':
158 ····ensure·=&gt;·'purged',158 ····ensure·=&gt;·'purged',
159 ··}159 ··}
160 }160 }
161 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server161 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
162 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 162 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
163 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 163 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
164 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 164 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
165 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd165 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
166 #»      ···from·the·system,·and·may·remove·any·packages166 #»      ···from·the·system,·and·may·remove·any·packages
167 #»      ···that·depend·on·telnetd.·Execute·this167 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
168 #»      ···remediation·AFTER·testing·on·a·non-production168 #»      ···remediation·AFTER·testing·on·a·non-production
169 #»      ···system!169 #»      ···system!
  
170 apt-get·remove·--purge·telnetd170 apt-get·remove·--purge·inetutils-telnetd
171 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed171 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
172 ··package:172 ··package:
173 ····name="{{item}}"173 ····name="{{item}}"
174 ····state=absent174 ····state=absent
175 ··with_items:175 ··with_items:
176 ····-·telnetd176 ····-·inetutils-telnetd
177 ··tags:177 ··tags:
178 ····-·package_telnetd_removed178 ····-·package_inetutils-telnetd_removed
179 ····-·high_severity179 ····-·high_severity
180 ····-·disable_strategy180 ····-·disable_strategy
181 ····-·low_complexity181 ····-·low_complexity
182 ····-·low_disruption182 ····-·low_disruption
183 ····-·CCE-183 ····-·CCE-
184 ····-·NIST-800-53-AC-17(8)184 ····-·NIST-800-53-AC-17(8)
185 ····-·NIST-800-53-CM-7185 ····-·NIST-800-53-CM-7
186 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd186 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
187 class·remove_telnetd·{187 class·remove_inetutils-telnetd·{
188 ··package·{·'telnetd':188 ··package·{·'inetutils-telnetd':
189 ····ensure·=&gt;·'purged',189 ····ensure·=&gt;·'purged',
190 ··}190 ··}
191 }191 }
192 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration192 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration
193 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5108"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration193 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5108"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration
194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update.194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update.
195 ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted,195 ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted,
Offset 202, 25 lines modifiedOffset 202, 25 lines modified
202 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo202 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo
203 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority203 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority
204 to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system·204 to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system·
205 users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands205 users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands
206 that·normally·only·<code>root</code>·is·allowed·to·execute.206 that·normally·only·<code>root</code>·is·allowed·to·execute.
207 <br><br>207 <br><br>
208 For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see208 For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see
209 <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5405"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate209 <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5140"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate
210 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using210 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using
211 sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the211 sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the
212 <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or212 <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or
213 any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they213 any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they
214 do·not·have·authorization.214 do·not·have·authorization.
215 <br><br>215 <br><br>
216 When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it216 When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it
217 is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 217 is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
218 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 218 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
219 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5425"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD219 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5160"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD
220 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using220 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using
221 sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the221 sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the
222 <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or·222 <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or·
223 any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they223 any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they
224 do·not·have·authorization.224 do·not·have·authorization.
225 <br><br>225 <br><br>
226 When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it226 When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it
68.0 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1404-guide-anssi_np_nt28_restrictive.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·36·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"><small>contains·36·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Ubuntu·1404·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 185, 44 lines modifiedOffset 185, 44 lines modified
185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
186 class·remove_telnetd-ssl·{186 class·remove_telnetd-ssl·{
187 ··package·{·'telnetd-ssl':187 ··package·{·'telnetd-ssl':
188 ····ensure·=&gt;·'purged',188 ····ensure·=&gt;·'purged',
189 ··}189 ··}
190 }190 }
191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
196 #»      ···from·the·system,·and·may·remove·any·packages196 #»      ···from·the·system,·and·may·remove·any·packages
197 #»      ···that·depend·on·telnetd.·Execute·this197 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
198 #»      ···remediation·AFTER·testing·on·a·non-production198 #»      ···remediation·AFTER·testing·on·a·non-production
199 #»      ···system!199 #»      ···system!
  
200 apt-get·remove·--purge·telnetd200 apt-get·remove·--purge·inetutils-telnetd
201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
202 ··package:202 ··package:
203 ····name="{{item}}"203 ····name="{{item}}"
204 ····state=absent204 ····state=absent
205 ··with_items:205 ··with_items:
206 ····-·telnetd206 ····-·inetutils-telnetd
207 ··tags:207 ··tags:
208 ····-·package_telnetd_removed208 ····-·package_inetutils-telnetd_removed
209 ····-·high_severity209 ····-·high_severity
210 ····-·disable_strategy210 ····-·disable_strategy
211 ····-·low_complexity211 ····-·low_complexity
212 ····-·low_disruption212 ····-·low_disruption
213 ····-·CCE-213 ····-·CCE-
214 ····-·NIST-800-53-AC-17(8)214 ····-·NIST-800-53-AC-17(8)
215 ····-·NIST-800-53-CM-7215 ····-·NIST-800-53-CM-7
216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
217 class·remove_telnetd·{217 class·remove_inetutils-telnetd·{
218 ··package·{·'telnetd':218 ··package·{·'inetutils-telnetd':
219 ····ensure·=&gt;·'purged',219 ····ensure·=&gt;·'purged',
220 ··}220 ··}
221 }221 }
222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4896"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service
225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 363, 26 lines modifiedOffset 363, 23 lines modified
363 verified·by·ensuring·that·the·following363 verified·by·ensuring·that·the·following
364 line·appears:364 line·appears:
365 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that365 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that
366 result·in·security·vulnerabilities·and366 result·in·security·vulnerabilities·and
367 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 367 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
368 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 368 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
369 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 369 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
370 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords370 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
371 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with371 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
372 empty·passwords,·add·or·correct·the·following·line·in372 edit·<code>/etc/ssh/sshd_config</code>·as
373 <code>/etc/ssh/sshd_config</code>:373 follows:
374 <pre>PermitEmptyPasswords·no</pre>374 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
375 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration375 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
376 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that376 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
377 remote·login·via·SSH·will·require·a·password, 
378 even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
379 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
380 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 377 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
381 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5041"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval378 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
382 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.379 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.
383 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.380 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.
Max diff block lines reached; 38991/69429 bytes (56.16%) of diff not shown.
17.7 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1404-guide-default.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:14.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
58 the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It58 the·software·which·Ubuntu·1404·installs·on·a·system·and·disable·software·which·is·not·needed.·It
59 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which59 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1404·system·and·provides·guidance·about·which
60 ones·can·be·safely·disabled.60 ones·can·be·safely·disabled.
61 <br><br>61 <br><br>
62 Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional62 Ubuntu·1404·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
Offset 75, 15 lines modifiedOffset 75, 23 lines modified
75 server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed75 server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed
76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
77 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration77 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
78 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be78 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
79 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more79 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
80 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration80 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration
81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings
82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-TRUSTY"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage
 83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo
 84 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority
 85 to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system·
 86 users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands
 87 that·normally·only·<code>root</code>·is·allowed·to·execute.
 88 <br><br>
 89 For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see
 90 <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for91 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for
84 many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format,92 many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format,
85 lack·of·authentication·for·received·messages,·and·lack·of·authentication,93 lack·of·authentication·for·received·messages,·and·lack·of·authentication,
86 encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However,94 encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However,
87 due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by95 due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by
88 almost·all·Unix·applications.96 almost·all·Unix·applications.
89 <br>97 <br>
Offset 165, 23 lines modifiedOffset 173, 15 lines modified
165 stores·four·archival·copies·of·each·log.·These·settings·can·be173 stores·four·archival·copies·of·each·log.·These·settings·can·be
166 modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are174 modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are
167 sufficient·for·purposes·of·this·guide.175 sufficient·for·purposes·of·this·guide.
168 <br><br>176 <br><br>
169 Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job177 Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job
170 <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be178 <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be
171 rotated·more·often·than·once·a·day,·some·other·mechanism·must·be179 rotated·more·often·than·once·a·day,·some·other·mechanism·must·be
172 used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage180 used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem
173 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo 
174 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority 
175 to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· 
176 users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands 
177 that·normally·only·<code>root</code>·is·allowed·to·execute. 
178 <br><br> 
179 For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see 
180 <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem 
181 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services,181 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services,
182 data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation182 data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation
183 of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms183 of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms
184 that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning184 that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning
185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive
186 ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by186 ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by
187 partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the187 partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the
53.9 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1404-guide-standard.html
    
Offset 91, 44 lines modifiedOffset 91, 44 lines modified
91 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis91 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4832">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4832"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
92 class·remove_nis·{92 class·remove_nis·{
93 ··package·{·'nis':93 ··package·{·'nis':
94 ····ensure·=&gt;·'purged',94 ····ensure·=&gt;·'purged',
95 ··}95 ··}
96 }96 }
97 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server97 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4835"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
100 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 100 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
101 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd101 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4843">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4843"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
102 #»      ···from·the·system,·and·may·remove·any·packages102 #»      ···from·the·system,·and·may·remove·any·packages
103 #»      ···that·depend·on·inetutils-telnetd.·Execute·this103 #»      ···that·depend·on·telnetd.·Execute·this
104 #»      ···remediation·AFTER·testing·on·a·non-production104 #»      ···remediation·AFTER·testing·on·a·non-production
105 #»      ···system!105 #»      ···system!
  
106 apt-get·remove·--purge·inetutils-telnetd106 apt-get·remove·--purge·telnetd
107 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed107 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4844">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4844"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
108 ··package:108 ··package:
109 ····name="{{item}}"109 ····name="{{item}}"
110 ····state=absent110 ····state=absent
111 ··with_items:111 ··with_items:
112 ····-·inetutils-telnetd112 ····-·telnetd
113 ··tags:113 ··tags:
114 ····-·package_inetutils-telnetd_removed114 ····-·package_telnetd_removed
115 ····-·high_severity115 ····-·high_severity
116 ····-·disable_strategy116 ····-·disable_strategy
117 ····-·low_complexity117 ····-·low_complexity
118 ····-·low_disruption118 ····-·low_disruption
119 ····-·CCE-119 ····-·CCE-
120 ····-·NIST-800-53-AC-17(8)120 ····-·NIST-800-53-AC-17(8)
121 ····-·NIST-800-53-CM-7121 ····-·NIST-800-53-CM-7
122 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd122 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4845">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4845"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
123 class·remove_inetutils-telnetd·{123 class·remove_telnetd·{
124 ··package·{·'inetutils-telnetd':124 ··package·{·'telnetd':
125 ····ensure·=&gt;·'purged',125 ····ensure·=&gt;·'purged',
126 ··}126 ··}
127 }127 }
128 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package128 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4848"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
129 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 129 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
130 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 130 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
131 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate131 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4853">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4853"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 187, 44 lines modifiedOffset 187, 44 lines modified
187 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl187 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4868">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4868"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
188 class·remove_telnetd-ssl·{188 class·remove_telnetd-ssl·{
189 ··package·{·'telnetd-ssl':189 ··package·{·'telnetd-ssl':
190 ····ensure·=&gt;·'purged',190 ····ensure·=&gt;·'purged',
191 ··}191 ··}
192 }192 }
193 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server193 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4871"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
195 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 195 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
196 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 196 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
197 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd197 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4879">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4879"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
198 #»      ···from·the·system,·and·may·remove·any·packages198 #»      ···from·the·system,·and·may·remove·any·packages
199 #»      ···that·depend·on·telnetd.·Execute·this199 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
200 #»      ···remediation·AFTER·testing·on·a·non-production200 #»      ···remediation·AFTER·testing·on·a·non-production
201 #»      ···system!201 #»      ···system!
  
202 apt-get·remove·--purge·telnetd202 apt-get·remove·--purge·inetutils-telnetd
203 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed203 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
204 ··package:204 ··package:
205 ····name="{{item}}"205 ····name="{{item}}"
206 ····state=absent206 ····state=absent
207 ··with_items:207 ··with_items:
208 ····-·telnetd208 ····-·inetutils-telnetd
209 ··tags:209 ··tags:
210 ····-·package_telnetd_removed210 ····-·package_inetutils-telnetd_removed
211 ····-·high_severity211 ····-·high_severity
212 ····-·disable_strategy212 ····-·disable_strategy
213 ····-·low_complexity213 ····-·low_complexity
214 ····-·low_disruption214 ····-·low_disruption
215 ····-·CCE-215 ····-·CCE-
216 ····-·NIST-800-53-AC-17(8)216 ····-·NIST-800-53-AC-17(8)
217 ····-·NIST-800-53-CM-7217 ····-·NIST-800-53-CM-7
218 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd218 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4881">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4881"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
219 class·remove_telnetd·{219 class·remove_inetutils-telnetd·{
220 ··package·{·'telnetd':220 ··package·{·'inetutils-telnetd':
221 ····ensure·=&gt;·'purged',221 ····ensure·=&gt;·'purged',
222 ··}222 ··}
223 }223 }
224 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services224 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
225 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.225 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
226 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4887"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service226 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4887"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service
227 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 227 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 384, 26 lines modifiedOffset 384, 23 lines modified
384 verified·by·ensuring·that·the·following384 verified·by·ensuring·that·the·following
385 line·appears:385 line·appears:
386 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that386 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that
387 result·in·security·vulnerabilities·and387 result·in·security·vulnerabilities·and
388 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 388 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
389 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 389 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
390 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 390 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
391 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords391 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
392 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with392 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
393 empty·passwords,·add·or·correct·the·following·line·in393 edit·<code>/etc/ssh/sshd_config</code>·as
394 <code>/etc/ssh/sshd_config</code>:394 follows:
395 <pre>PermitEmptyPasswords·no</pre>395 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
396 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration396 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
397 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that397 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
398 remote·login·via·SSH·will·require·a·password, 
399 even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
400 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
401 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 398 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
402 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5041"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval399 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
403 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.400 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.
404 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.401 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.
405 <br><br>402 <br><br>
406 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as403 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
407 follows:404 follows:
408 <pre>ClientAliveInterval·<b>interval</b></pre>405 <pre>ClientAliveInterval·<b>interval</b></pre>
409 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout406 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout
Offset 413, 23 lines modifiedOffset 410, 26 lines modified
413 shell,·that·value·will·preempt·any·SSH410 shell,·that·value·will·preempt·any·SSH
414 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH411 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
415 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out412 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out
416 guards·against·compromises·one·system·leading·trivially413 guards·against·compromises·one·system·leading·trivially
417 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 414 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
418 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 415 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
419 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 416 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
420 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5064"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count417 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5066"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords
421 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,418 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with
422 edit·<code>/etc/ssh/sshd_config</code>·as419 empty·passwords,·add·or·correct·the·following·line·in
Max diff block lines reached; 24230/55095 bytes (43.98%) of diff not shown.
68.0 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1604-guide-anssi_np_nt28_average.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 185, 44 lines modifiedOffset 185, 44 lines modified
185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
186 class·remove_telnetd-ssl·{186 class·remove_telnetd-ssl·{
187 ··package·{·'telnetd-ssl':187 ··package·{·'telnetd-ssl':
188 ····ensure·=&gt;·'purged',188 ····ensure·=&gt;·'purged',
189 ··}189 ··}
190 }190 }
191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
196 #»      ···from·the·system,·and·may·remove·any·packages196 #»      ···from·the·system,·and·may·remove·any·packages
197 #»      ···that·depend·on·telnetd.·Execute·this197 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
198 #»      ···remediation·AFTER·testing·on·a·non-production198 #»      ···remediation·AFTER·testing·on·a·non-production
199 #»      ···system!199 #»      ···system!
  
200 apt-get·remove·--purge·telnetd200 apt-get·remove·--purge·inetutils-telnetd
201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
202 ··package:202 ··package:
203 ····name="{{item}}"203 ····name="{{item}}"
204 ····state=absent204 ····state=absent
205 ··with_items:205 ··with_items:
206 ····-·telnetd206 ····-·inetutils-telnetd
207 ··tags:207 ··tags:
208 ····-·package_telnetd_removed208 ····-·package_inetutils-telnetd_removed
209 ····-·high_severity209 ····-·high_severity
210 ····-·disable_strategy210 ····-·disable_strategy
211 ····-·low_complexity211 ····-·low_complexity
212 ····-·low_disruption212 ····-·low_disruption
213 ····-·CCE-213 ····-·CCE-
214 ····-·NIST-800-53-AC-17(8)214 ····-·NIST-800-53-AC-17(8)
215 ····-·NIST-800-53-CM-7215 ····-·NIST-800-53-CM-7
216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
217 class·remove_telnetd·{217 class·remove_inetutils-telnetd·{
218 ··package·{·'telnetd':218 ··package·{·'inetutils-telnetd':
219 ····ensure·=&gt;·'purged',219 ····ensure·=&gt;·'purged',
220 ··}220 ··}
221 }221 }
222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service
225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 269, 26 lines modifiedOffset 269, 23 lines modified
269 verified·by·ensuring·that·the·following269 verified·by·ensuring·that·the·following
270 line·appears:270 line·appears:
271 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that271 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that
272 result·in·security·vulnerabilities·and272 result·in·security·vulnerabilities·and
273 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 273 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
274 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 274 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
275 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 275 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
276 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords276 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
277 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with277 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
278 empty·passwords,·add·or·correct·the·following·line·in278 edit·<code>/etc/ssh/sshd_config</code>·as
279 <code>/etc/ssh/sshd_config</code>:279 follows:
280 <pre>PermitEmptyPasswords·no</pre>280 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
281 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration281 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
282 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that282 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
283 remote·login·via·SSH·will·require·a·password, 
284 even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
285 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
286 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 283 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
287 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5044"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval284 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
288 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.285 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.
289 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.286 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.
Max diff block lines reached; 38991/69435 bytes (56.15%) of diff not shown.
72.4 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1604-guide-anssi_np_nt28_high.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·37·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·37·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 185, 44 lines modifiedOffset 185, 44 lines modified
185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
186 class·remove_telnetd-ssl·{186 class·remove_telnetd-ssl·{
187 ··package·{·'telnetd-ssl':187 ··package·{·'telnetd-ssl':
188 ····ensure·=&gt;·'purged',188 ····ensure·=&gt;·'purged',
189 ··}189 ··}
190 }190 }
191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
196 #»      ···from·the·system,·and·may·remove·any·packages196 #»      ···from·the·system,·and·may·remove·any·packages
197 #»      ···that·depend·on·telnetd.·Execute·this197 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
198 #»      ···remediation·AFTER·testing·on·a·non-production198 #»      ···remediation·AFTER·testing·on·a·non-production
199 #»      ···system!199 #»      ···system!
  
200 apt-get·remove·--purge·telnetd200 apt-get·remove·--purge·inetutils-telnetd
201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
202 ··package:202 ··package:
203 ····name="{{item}}"203 ····name="{{item}}"
204 ····state=absent204 ····state=absent
205 ··with_items:205 ··with_items:
206 ····-·telnetd206 ····-·inetutils-telnetd
207 ··tags:207 ··tags:
208 ····-·package_telnetd_removed208 ····-·package_inetutils-telnetd_removed
209 ····-·high_severity209 ····-·high_severity
210 ····-·disable_strategy210 ····-·disable_strategy
211 ····-·low_complexity211 ····-·low_complexity
212 ····-·low_disruption212 ····-·low_disruption
213 ····-·CCE-213 ····-·CCE-
214 ····-·NIST-800-53-AC-17(8)214 ····-·NIST-800-53-AC-17(8)
215 ····-·NIST-800-53-CM-7215 ····-·NIST-800-53-CM-7
216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
217 class·remove_telnetd·{217 class·remove_inetutils-telnetd·{
218 ··package·{·'telnetd':218 ··package·{·'inetutils-telnetd':
219 ····ensure·=&gt;·'purged',219 ····ensure·=&gt;·'purged',
220 ··}220 ··}
221 }221 }
222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service
225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 363, 26 lines modifiedOffset 363, 23 lines modified
363 verified·by·ensuring·that·the·following363 verified·by·ensuring·that·the·following
364 line·appears:364 line·appears:
365 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that365 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that
366 result·in·security·vulnerabilities·and366 result·in·security·vulnerabilities·and
367 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 367 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
368 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 368 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
369 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 369 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
370 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords370 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
371 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with371 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
372 empty·passwords,·add·or·correct·the·following·line·in372 edit·<code>/etc/ssh/sshd_config</code>·as
373 <code>/etc/ssh/sshd_config</code>:373 follows:
374 <pre>PermitEmptyPasswords·no</pre>374 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
375 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration375 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
376 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that376 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
377 remote·login·via·SSH·will·require·a·password, 
378 even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
379 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
380 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 377 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
381 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5044"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval378 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
382 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.379 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.
383 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.380 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.
Max diff block lines reached; 43389/74020 bytes (58.62%) of diff not shown.
24.8 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html
    
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
Offset 155, 44 lines modifiedOffset 155, 44 lines modified
155 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl155 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
156 class·remove_telnetd-ssl·{156 class·remove_telnetd-ssl·{
157 ··package·{·'telnetd-ssl':157 ··package·{·'telnetd-ssl':
158 ····ensure·=&gt;·'purged',158 ····ensure·=&gt;·'purged',
159 ··}159 ··}
160 }160 }
161 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server161 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
162 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 162 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
163 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 163 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
164 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 164 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
165 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd165 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
166 #»      ···from·the·system,·and·may·remove·any·packages166 #»      ···from·the·system,·and·may·remove·any·packages
167 #»      ···that·depend·on·telnetd.·Execute·this167 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
168 #»      ···remediation·AFTER·testing·on·a·non-production168 #»      ···remediation·AFTER·testing·on·a·non-production
169 #»      ···system!169 #»      ···system!
  
170 apt-get·remove·--purge·telnetd170 apt-get·remove·--purge·inetutils-telnetd
171 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed171 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
172 ··package:172 ··package:
173 ····name="{{item}}"173 ····name="{{item}}"
174 ····state=absent174 ····state=absent
175 ··with_items:175 ··with_items:
176 ····-·telnetd176 ····-·inetutils-telnetd
177 ··tags:177 ··tags:
178 ····-·package_telnetd_removed178 ····-·package_inetutils-telnetd_removed
179 ····-·high_severity179 ····-·high_severity
180 ····-·disable_strategy180 ····-·disable_strategy
181 ····-·low_complexity181 ····-·low_complexity
182 ····-·low_disruption182 ····-·low_disruption
183 ····-·CCE-183 ····-·CCE-
184 ····-·NIST-800-53-AC-17(8)184 ····-·NIST-800-53-AC-17(8)
185 ····-·NIST-800-53-CM-7185 ····-·NIST-800-53-CM-7
186 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd186 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
187 class·remove_telnetd·{187 class·remove_inetutils-telnetd·{
188 ··package·{·'telnetd':188 ··package·{·'inetutils-telnetd':
189 ····ensure·=&gt;·'purged',189 ····ensure·=&gt;·'purged',
190 ··}190 ··}
191 }191 }
192 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration192 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration
193 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration193 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration
194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update.194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update.
195 ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted,195 ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted,
Offset 202, 25 lines modifiedOffset 202, 25 lines modified
202 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo202 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo
203 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority203 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority
204 to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system·204 to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system·
205 users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands205 users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands
206 that·normally·only·<code>root</code>·is·allowed·to·execute.206 that·normally·only·<code>root</code>·is·allowed·to·execute.
207 <br><br>207 <br><br>
208 For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see208 For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see
209 <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5408"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate209 <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"·id="guide-tree-leaf-idm5143"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate
210 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using210 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>!authenticate</code>·option,·when·specified,·allows·a·user·to·execute·commands·using
211 sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the211 sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the
212 <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or212 <code>!authenticate</code>·option·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or
213 any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they213 any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they
214 do·not·have·authorization.214 do·not·have·authorization.
215 <br><br>215 <br><br>
216 When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it216 When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it
217 is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 217 is·critical·that·the·user·re-authenticate.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
218 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 218 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
219 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5428"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD219 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002038</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00156</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00157</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000373-GPOS-00158</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd"·id="guide-tree-leaf-idm5163"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD
220 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using220 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·sudo·<code>NOPASSWD</code>·tag,·when·specified,·allows·a·user·to·execute·commands·using
221 sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the221 sudo·without·having·to·authenticate.·This·should·be·disabled·by·making·sure·that·the
222 <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or·222 <code>NOPASSWD</code>·tag·does·not·exist·in·<code>/etc/sudoers</code>·configuration·file·or·
223 any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they223 any·sudo·configuration·snippets·in·<code>/etc/sudoers.d/</code>.</p><span·class="label·label-primary">Rationale:</span><p>Without·re-authentication,·users·may·access·resources·or·perform·tasks·for·which·they
224 do·not·have·authorization.224 do·not·have·authorization.
225 <br><br>225 <br><br>
226 When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it226 When·operating·systems·provide·the·capability·to·escalate·a·functional·capability,·it
68.0 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·Restrictive·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·36·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"><small>contains·36·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Ubuntu·1604·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 185, 44 lines modifiedOffset 185, 44 lines modified
185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
186 class·remove_telnetd-ssl·{186 class·remove_telnetd-ssl·{
187 ··package·{·'telnetd-ssl':187 ··package·{·'telnetd-ssl':
188 ····ensure·=&gt;·'purged',188 ····ensure·=&gt;·'purged',
189 ··}189 ··}
190 }190 }
191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
196 #»      ···from·the·system,·and·may·remove·any·packages196 #»      ···from·the·system,·and·may·remove·any·packages
197 #»      ···that·depend·on·telnetd.·Execute·this197 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
198 #»      ···remediation·AFTER·testing·on·a·non-production198 #»      ···remediation·AFTER·testing·on·a·non-production
199 #»      ···system!199 #»      ···system!
  
200 apt-get·remove·--purge·telnetd200 apt-get·remove·--purge·inetutils-telnetd
201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
202 ··package:202 ··package:
203 ····name="{{item}}"203 ····name="{{item}}"
204 ····state=absent204 ····state=absent
205 ··with_items:205 ··with_items:
206 ····-·telnetd206 ····-·inetutils-telnetd
207 ··tags:207 ··tags:
208 ····-·package_telnetd_removed208 ····-·package_inetutils-telnetd_removed
209 ····-·high_severity209 ····-·high_severity
210 ····-·disable_strategy210 ····-·disable_strategy
211 ····-·low_complexity211 ····-·low_complexity
212 ····-·low_disruption212 ····-·low_disruption
213 ····-·CCE-213 ····-·CCE-
214 ····-·NIST-800-53-AC-17(8)214 ····-·NIST-800-53-AC-17(8)
215 ····-·NIST-800-53-CM-7215 ····-·NIST-800-53-CM-7
216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
217 class·remove_telnetd·{217 class·remove_inetutils-telnetd·{
218 ··package·{·'telnetd':218 ··package·{·'inetutils-telnetd':
219 ····ensure·=&gt;·'purged',219 ····ensure·=&gt;·'purged',
220 ··}220 ··}
221 }221 }
222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4899"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service
225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 363, 26 lines modifiedOffset 363, 23 lines modified
363 verified·by·ensuring·that·the·following363 verified·by·ensuring·that·the·following
364 line·appears:364 line·appears:
365 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that365 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that
366 result·in·security·vulnerabilities·and366 result·in·security·vulnerabilities·and
367 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 367 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
368 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 368 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
369 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 369 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
370 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords370 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
371 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with371 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
372 empty·passwords,·add·or·correct·the·following·line·in372 edit·<code>/etc/ssh/sshd_config</code>·as
373 <code>/etc/ssh/sshd_config</code>:373 follows:
374 <pre>PermitEmptyPasswords·no</pre>374 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
375 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration375 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
376 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that376 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
377 remote·login·via·SSH·will·require·a·password, 
378 even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
379 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
380 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 377 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
381 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5044"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval378 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
382 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.379 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.
383 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.380 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.
Max diff block lines reached; 38991/69429 bytes (56.16%) of diff not shown.
17.7 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1604-guide-default.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:canonical:ubuntu_linux:16.04</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
58 the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It58 the·software·which·Ubuntu·1604·installs·on·a·system·and·disable·software·which·is·not·needed.·It
59 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which59 then·enumerates·the·software·packages·installed·on·a·default·Ubuntu·1604·system·and·provides·guidance·about·which
60 ones·can·be·safely·disabled.60 ones·can·be·safely·disabled.
61 <br><br>61 <br><br>
62 Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional62 Ubuntu·1604·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
Offset 75, 15 lines modifiedOffset 75, 23 lines modified
75 server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed75 server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed
76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
77 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration77 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
78 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be78 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
79 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more79 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
80 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration80 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration
81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings
82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage
 83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo
 84 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority
 85 to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system·
 86 users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands
 87 that·normally·only·<code>root</code>·is·allowed·to·execute.
 88 <br><br>
 89 For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see
 90 <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for91 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for
84 many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format,92 many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format,
85 lack·of·authentication·for·received·messages,·and·lack·of·authentication,93 lack·of·authentication·for·received·messages,·and·lack·of·authentication,
86 encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However,94 encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However,
87 due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by95 due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by
88 almost·all·Unix·applications.96 almost·all·Unix·applications.
89 <br>97 <br>
Offset 165, 23 lines modifiedOffset 173, 15 lines modified
165 stores·four·archival·copies·of·each·log.·These·settings·can·be173 stores·four·archival·copies·of·each·log.·These·settings·can·be
166 modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are174 modified·by·editing·<code>/etc/logrotate.conf</code>,·but·the·defaults·are
167 sufficient·for·purposes·of·this·guide.175 sufficient·for·purposes·of·this·guide.
168 <br><br>176 <br><br>
169 Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job177 Note·that·<code>logrotate</code>·is·run·nightly·by·the·cron·job
170 <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be178 <code>/etc/cron.daily/logrotate</code>.·If·particularly·active·logs·need·to·be
171 rotated·more·often·than·once·a·day,·some·other·mechanism·must·be179 rotated·more·often·than·once·a·day,·some·other·mechanism·must·be
172 used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage180 used.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_log_rotation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem
173 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_sudo"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo 
174 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p><code>Sudo</code>,·which·stands·for·"su·'do'",·provides·the·ability·to·delegate·authority 
175 to·certain·users,·groups·of·users,·or·system·administrators.·When·configured·for·system· 
176 users·and/or·groups,·<code>Sudo</code>·can·allow·a·user·or·group·to·execute·privileged·commands 
177 that·normally·only·<code>root</code>·is·allowed·to·execute. 
178 <br><br> 
179 For·more·information·on·<code>Sudo</code>·and·addition·<code>Sudo</code>·configuration·options,·see 
180 <b><a·href="https://www.sudo.ws">https://www.sudo.ws</a></b></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_sudo"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_fs-part"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem 
181 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services,181 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_fs-part">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardening·the·filesystem·and·its·usage·is·an·efficient·way·to·ensure·an·efficient·separation·of·services,
182 data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation182 data·and·configurations·while·ensuring·a·more·precise·management·of·filesystem·level·access·rights,·enabling·deactivation
183 of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms183 of·some·specific·rights·at·the·filesystem·level.·Moreover,·the·Linux·Virtual·file·system·support·various·hardening·mechanisms
184 that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning184 that·can·be·set·using·sysctl.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_fs-part"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_installation-storage-partitioning"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_installation-storage-partitioning"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fs-part"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_installation-storage-partitioning">Partitioning
185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_installation-storage-partitioning">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Separating·various·locations·of·the·file·systems·in·different·partitions·allows·a·more·restrictive
186 ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by186 ··segregation,·distinctly·from·one·location·to·another.·Moreover,·some·native·restrictions·can·be·made·by
187 partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the187 partitioning,·such·as·no·hard·link·between·different·filesystems,·and·reduce·the·corruption·impact·to·the
53.9 KB
./usr/share/doc/ssg-debderived/ssg-ubuntu1604-guide-standard.html
    
Offset 91, 44 lines modifiedOffset 91, 44 lines modified
91 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis91 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4835">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4835"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
92 class·remove_nis·{92 class·remove_nis·{
93 ··package·{·'nis':93 ··package·{·'nis':
94 ····ensure·=&gt;·'purged',94 ····ensure·=&gt;·'purged',
95 ··}95 ··}
96 }96 }
97 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server97 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4838"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
100 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 100 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
101 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd101 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4846">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4846"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
102 #»      ···from·the·system,·and·may·remove·any·packages102 #»      ···from·the·system,·and·may·remove·any·packages
103 #»      ···that·depend·on·inetutils-telnetd.·Execute·this103 #»      ···that·depend·on·telnetd.·Execute·this
104 #»      ···remediation·AFTER·testing·on·a·non-production104 #»      ···remediation·AFTER·testing·on·a·non-production
105 #»      ···system!105 #»      ···system!
  
106 apt-get·remove·--purge·inetutils-telnetd106 apt-get·remove·--purge·telnetd
107 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed107 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4847">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4847"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
108 ··package:108 ··package:
109 ····name="{{item}}"109 ····name="{{item}}"
110 ····state=absent110 ····state=absent
111 ··with_items:111 ··with_items:
112 ····-·inetutils-telnetd112 ····-·telnetd
113 ··tags:113 ··tags:
114 ····-·package_inetutils-telnetd_removed114 ····-·package_telnetd_removed
115 ····-·high_severity115 ····-·high_severity
116 ····-·disable_strategy116 ····-·disable_strategy
117 ····-·low_complexity117 ····-·low_complexity
118 ····-·low_disruption118 ····-·low_disruption
119 ····-·CCE-119 ····-·CCE-
120 ····-·NIST-800-53-AC-17(8)120 ····-·NIST-800-53-AC-17(8)
121 ····-·NIST-800-53-CM-7121 ····-·NIST-800-53-CM-7
122 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd122 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4848">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4848"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
123 class·remove_inetutils-telnetd·{123 class·remove_telnetd·{
124 ··package·{·'inetutils-telnetd':124 ··package·{·'telnetd':
125 ····ensure·=&gt;·'purged',125 ····ensure·=&gt;·'purged',
126 ··}126 ··}
127 }127 }
128 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package128 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4851"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
129 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 129 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
130 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 130 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
131 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate131 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 187, 44 lines modifiedOffset 187, 44 lines modified
187 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl187 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4871">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4871"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
188 class·remove_telnetd-ssl·{188 class·remove_telnetd-ssl·{
189 ··package·{·'telnetd-ssl':189 ··package·{·'telnetd-ssl':
190 ····ensure·=&gt;·'purged',190 ····ensure·=&gt;·'purged',
191 ··}191 ··}
192 }192 }
193 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server193 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4874"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
195 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 195 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
196 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 196 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
197 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd197 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
198 #»      ···from·the·system,·and·may·remove·any·packages198 #»      ···from·the·system,·and·may·remove·any·packages
199 #»      ···that·depend·on·telnetd.·Execute·this199 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
200 #»      ···remediation·AFTER·testing·on·a·non-production200 #»      ···remediation·AFTER·testing·on·a·non-production
201 #»      ···system!201 #»      ···system!
  
202 apt-get·remove·--purge·telnetd202 apt-get·remove·--purge·inetutils-telnetd
203 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed203 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4883">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4883"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
204 ··package:204 ··package:
205 ····name="{{item}}"205 ····name="{{item}}"
206 ····state=absent206 ····state=absent
207 ··with_items:207 ··with_items:
208 ····-·telnetd208 ····-·inetutils-telnetd
209 ··tags:209 ··tags:
210 ····-·package_telnetd_removed210 ····-·package_inetutils-telnetd_removed
211 ····-·high_severity211 ····-·high_severity
212 ····-·disable_strategy212 ····-·disable_strategy
213 ····-·low_complexity213 ····-·low_complexity
214 ····-·low_disruption214 ····-·low_disruption
215 ····-·CCE-215 ····-·CCE-
216 ····-·NIST-800-53-AC-17(8)216 ····-·NIST-800-53-AC-17(8)
217 ····-·NIST-800-53-CM-7217 ····-·NIST-800-53-CM-7
218 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd218 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4884">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4884"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
219 class·remove_telnetd·{219 class·remove_inetutils-telnetd·{
220 ··package·{·'telnetd':220 ··package·{·'inetutils-telnetd':
221 ····ensure·=&gt;·'purged',221 ····ensure·=&gt;·'purged',
222 ··}222 ··}
223 }223 }
224 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services224 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
225 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.225 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
226 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4890"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service226 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4890"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service
227 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 227 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 384, 26 lines modifiedOffset 384, 23 lines modified
384 verified·by·ensuring·that·the·following384 verified·by·ensuring·that·the·following
385 line·appears:385 line·appears:
386 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that386 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that
387 result·in·security·vulnerabilities·and387 result·in·security·vulnerabilities·and
388 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 388 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
389 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 389 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
390 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 390 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
391 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords391 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
392 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with392 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
393 empty·passwords,·add·or·correct·the·following·line·in393 edit·<code>/etc/ssh/sshd_config</code>·as
394 <code>/etc/ssh/sshd_config</code>:394 follows:
395 <pre>PermitEmptyPasswords·no</pre>395 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
396 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration396 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
397 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that397 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
398 remote·login·via·SSH·will·require·a·password, 
399 even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
400 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
401 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 398 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
402 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5044"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval399 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
403 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.400 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.
404 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.401 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.
405 <br><br>402 <br><br>
406 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as403 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
407 follows:404 follows:
408 <pre>ClientAliveInterval·<b>interval</b></pre>405 <pre>ClientAliveInterval·<b>interval</b></pre>
409 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout406 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout
Offset 413, 23 lines modifiedOffset 410, 26 lines modified
413 shell,·that·value·will·preempt·any·SSH410 shell,·that·value·will·preempt·any·SSH
414 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH411 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
415 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out412 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out
416 guards·against·compromises·one·system·leading·trivially413 guards·against·compromises·one·system·leading·trivially
417 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 414 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
418 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 415 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
419 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 416 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
420 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5067"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count417 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5069"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords
421 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,418 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with
422 edit·<code>/etc/ssh/sshd_config</code>·as419 empty·passwords,·add·or·correct·the·following·line·in
Max diff block lines reached; 24230/55095 bytes (43.98%) of diff not shown.
1.5 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1404-role-anssi_np_nt28_average.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 90, 22 lines modifiedOffset 90, 22 lines modified
90 ········-·disable_strategy90 ········-·disable_strategy
91 ········-·low_complexity91 ········-·low_complexity
92 ········-·low_disruption92 ········-·low_disruption
93 ········-·CCE-93 ········-·CCE-
94 ········-·NIST-800-53-AC-17(8)94 ········-·NIST-800-53-AC-17(8)
95 ········-·NIST-800-53-CM-795 ········-·NIST-800-53-CM-7
96 ····96 ····
97 ····-·name:·Ensure·telnetd·is·removed97 ····-·name:·Ensure·inetutils-telnetd·is·removed
98 ······package:98 ······package:
99 ········name="{{item}}"99 ········name="{{item}}"
100 ········state=absent100 ········state=absent
101 ······with_items:101 ······with_items:
102 ········-·telnetd102 ········-·inetutils-telnetd
103 ······tags:103 ······tags:
104 ········-·package_telnetd_removed104 ········-·package_inetutils-telnetd_removed
105 ········-·high_severity105 ········-·high_severity
106 ········-·disable_strategy106 ········-·disable_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·low_disruption108 ········-·low_disruption
109 ········-·CCE-109 ········-·CCE-
110 ········-·NIST-800-53-AC-17(8)110 ········-·NIST-800-53-AC-17(8)
111 ········-·NIST-800-53-CM-7111 ········-·NIST-800-53-CM-7
1.5 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1404-role-anssi_np_nt28_high.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 90, 22 lines modifiedOffset 90, 22 lines modified
90 ········-·disable_strategy90 ········-·disable_strategy
91 ········-·low_complexity91 ········-·low_complexity
92 ········-·low_disruption92 ········-·low_disruption
93 ········-·CCE-93 ········-·CCE-
94 ········-·NIST-800-53-AC-17(8)94 ········-·NIST-800-53-AC-17(8)
95 ········-·NIST-800-53-CM-795 ········-·NIST-800-53-CM-7
96 ····96 ····
97 ····-·name:·Ensure·telnetd·is·removed97 ····-·name:·Ensure·inetutils-telnetd·is·removed
98 ······package:98 ······package:
99 ········name="{{item}}"99 ········name="{{item}}"
100 ········state=absent100 ········state=absent
101 ······with_items:101 ······with_items:
102 ········-·telnetd102 ········-·inetutils-telnetd
103 ······tags:103 ······tags:
104 ········-·package_telnetd_removed104 ········-·package_inetutils-telnetd_removed
105 ········-·high_severity105 ········-·high_severity
106 ········-·disable_strategy106 ········-·disable_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·low_disruption108 ········-·low_disruption
109 ········-·CCE-109 ········-·CCE-
110 ········-·NIST-800-53-AC-17(8)110 ········-·NIST-800-53-AC-17(8)
111 ········-·NIST-800-53-CM-7111 ········-·NIST-800-53-CM-7
1.5 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1404-role-anssi_np_nt28_minimal.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 76, 22 lines modifiedOffset 76, 22 lines modified
76 ········-·disable_strategy76 ········-·disable_strategy
77 ········-·low_complexity77 ········-·low_complexity
78 ········-·low_disruption78 ········-·low_disruption
79 ········-·CCE-79 ········-·CCE-
80 ········-·NIST-800-53-AC-17(8)80 ········-·NIST-800-53-AC-17(8)
81 ········-·NIST-800-53-CM-781 ········-·NIST-800-53-CM-7
82 ····82 ····
83 ····-·name:·Ensure·telnetd·is·removed83 ····-·name:·Ensure·inetutils-telnetd·is·removed
84 ······package:84 ······package:
85 ········name="{{item}}"85 ········name="{{item}}"
86 ········state=absent86 ········state=absent
87 ······with_items:87 ······with_items:
88 ········-·telnetd88 ········-·inetutils-telnetd
89 ······tags:89 ······tags:
90 ········-·package_telnetd_removed90 ········-·package_inetutils-telnetd_removed
91 ········-·high_severity91 ········-·high_severity
92 ········-·disable_strategy92 ········-·disable_strategy
93 ········-·low_complexity93 ········-·low_complexity
94 ········-·low_disruption94 ········-·low_disruption
95 ········-·CCE-95 ········-·CCE-
96 ········-·NIST-800-53-AC-17(8)96 ········-·NIST-800-53-AC-17(8)
97 ········-·NIST-800-53-CM-797 ········-·NIST-800-53-CM-7
1.51 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1404-role-anssi_np_nt28_restrictive.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 90, 22 lines modifiedOffset 90, 22 lines modified
90 ········-·disable_strategy90 ········-·disable_strategy
91 ········-·low_complexity91 ········-·low_complexity
92 ········-·low_disruption92 ········-·low_disruption
93 ········-·CCE-93 ········-·CCE-
94 ········-·NIST-800-53-AC-17(8)94 ········-·NIST-800-53-AC-17(8)
95 ········-·NIST-800-53-CM-795 ········-·NIST-800-53-CM-7
96 ····96 ····
97 ····-·name:·Ensure·telnetd·is·removed97 ····-·name:·Ensure·inetutils-telnetd·is·removed
98 ······package:98 ······package:
99 ········name="{{item}}"99 ········name="{{item}}"
100 ········state=absent100 ········state=absent
101 ······with_items:101 ······with_items:
102 ········-·telnetd102 ········-·inetutils-telnetd
103 ······tags:103 ······tags:
104 ········-·package_telnetd_removed104 ········-·package_inetutils-telnetd_removed
105 ········-·high_severity105 ········-·high_severity
106 ········-·disable_strategy106 ········-·disable_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·low_disruption108 ········-·low_disruption
109 ········-·CCE-109 ········-·CCE-
110 ········-·NIST-800-53-AC-17(8)110 ········-·NIST-800-53-AC-17(8)
111 ········-·NIST-800-53-CM-7111 ········-·NIST-800-53-CM-7
1.48 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1404-role-standard.yml
Ordering differences only
    
Offset 46, 22 lines modifiedOffset 46, 22 lines modified
46 ········-·package_nis_removed46 ········-·package_nis_removed
47 ········-·low_severity47 ········-·low_severity
48 ········-·disable_strategy48 ········-·disable_strategy
49 ········-·low_complexity49 ········-·low_complexity
50 ········-·low_disruption50 ········-·low_disruption
51 ········-·CCE-51 ········-·CCE-
52 ····52 ····
53 ····-·name:·Ensure·inetutils-telnetd·is·removed53 ····-·name:·Ensure·telnetd·is·removed
54 ······package:54 ······package:
55 ········name="{{item}}"55 ········name="{{item}}"
56 ········state=absent56 ········state=absent
57 ······with_items:57 ······with_items:
58 ········-·inetutils-telnetd58 ········-·telnetd
59 ······tags:59 ······tags:
60 ········-·package_inetutils-telnetd_removed60 ········-·package_telnetd_removed
61 ········-·high_severity61 ········-·high_severity
62 ········-·disable_strategy62 ········-·disable_strategy
63 ········-·low_complexity63 ········-·low_complexity
64 ········-·low_disruption64 ········-·low_disruption
65 ········-·CCE-65 ········-·CCE-
66 ········-·NIST-800-53-AC-17(8)66 ········-·NIST-800-53-AC-17(8)
67 ········-·NIST-800-53-CM-767 ········-·NIST-800-53-CM-7
Offset 92, 22 lines modifiedOffset 92, 22 lines modified
92 ········-·disable_strategy92 ········-·disable_strategy
93 ········-·low_complexity93 ········-·low_complexity
94 ········-·low_disruption94 ········-·low_disruption
95 ········-·CCE-95 ········-·CCE-
96 ········-·NIST-800-53-AC-17(8)96 ········-·NIST-800-53-AC-17(8)
97 ········-·NIST-800-53-CM-797 ········-·NIST-800-53-CM-7
98 ····98 ····
99 ····-·name:·Ensure·telnetd·is·removed99 ····-·name:·Ensure·inetutils-telnetd·is·removed
100 ······package:100 ······package:
101 ········name="{{item}}"101 ········name="{{item}}"
102 ········state=absent102 ········state=absent
103 ······with_items:103 ······with_items:
104 ········-·telnetd104 ········-·inetutils-telnetd
105 ······tags:105 ······tags:
106 ········-·package_telnetd_removed106 ········-·package_inetutils-telnetd_removed
107 ········-·high_severity107 ········-·high_severity
108 ········-·disable_strategy108 ········-·disable_strategy
109 ········-·low_complexity109 ········-·low_complexity
110 ········-·low_disruption110 ········-·low_disruption
111 ········-·CCE-111 ········-·CCE-
112 ········-·NIST-800-53-AC-17(8)112 ········-·NIST-800-53-AC-17(8)
113 ········-·NIST-800-53-CM-7113 ········-·NIST-800-53-CM-7
1.5 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1604-role-anssi_np_nt28_average.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 90, 22 lines modifiedOffset 90, 22 lines modified
90 ········-·disable_strategy90 ········-·disable_strategy
91 ········-·low_complexity91 ········-·low_complexity
92 ········-·low_disruption92 ········-·low_disruption
93 ········-·CCE-93 ········-·CCE-
94 ········-·NIST-800-53-AC-17(8)94 ········-·NIST-800-53-AC-17(8)
95 ········-·NIST-800-53-CM-795 ········-·NIST-800-53-CM-7
96 ····96 ····
97 ····-·name:·Ensure·telnetd·is·removed97 ····-·name:·Ensure·inetutils-telnetd·is·removed
98 ······package:98 ······package:
99 ········name="{{item}}"99 ········name="{{item}}"
100 ········state=absent100 ········state=absent
101 ······with_items:101 ······with_items:
102 ········-·telnetd102 ········-·inetutils-telnetd
103 ······tags:103 ······tags:
104 ········-·package_telnetd_removed104 ········-·package_inetutils-telnetd_removed
105 ········-·high_severity105 ········-·high_severity
106 ········-·disable_strategy106 ········-·disable_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·low_disruption108 ········-·low_disruption
109 ········-·CCE-109 ········-·CCE-
110 ········-·NIST-800-53-AC-17(8)110 ········-·NIST-800-53-AC-17(8)
111 ········-·NIST-800-53-CM-7111 ········-·NIST-800-53-CM-7
1.5 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1604-role-anssi_np_nt28_high.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 90, 22 lines modifiedOffset 90, 22 lines modified
90 ········-·disable_strategy90 ········-·disable_strategy
91 ········-·low_complexity91 ········-·low_complexity
92 ········-·low_disruption92 ········-·low_disruption
93 ········-·CCE-93 ········-·CCE-
94 ········-·NIST-800-53-AC-17(8)94 ········-·NIST-800-53-AC-17(8)
95 ········-·NIST-800-53-CM-795 ········-·NIST-800-53-CM-7
96 ····96 ····
97 ····-·name:·Ensure·telnetd·is·removed97 ····-·name:·Ensure·inetutils-telnetd·is·removed
98 ······package:98 ······package:
99 ········name="{{item}}"99 ········name="{{item}}"
100 ········state=absent100 ········state=absent
101 ······with_items:101 ······with_items:
102 ········-·telnetd102 ········-·inetutils-telnetd
103 ······tags:103 ······tags:
104 ········-·package_telnetd_removed104 ········-·package_inetutils-telnetd_removed
105 ········-·high_severity105 ········-·high_severity
106 ········-·disable_strategy106 ········-·disable_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·low_disruption108 ········-·low_disruption
109 ········-·CCE-109 ········-·CCE-
110 ········-·NIST-800-53-AC-17(8)110 ········-·NIST-800-53-AC-17(8)
111 ········-·NIST-800-53-CM-7111 ········-·NIST-800-53-CM-7
1.5 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1604-role-anssi_np_nt28_minimal.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 76, 22 lines modifiedOffset 76, 22 lines modified
76 ········-·disable_strategy76 ········-·disable_strategy
77 ········-·low_complexity77 ········-·low_complexity
78 ········-·low_disruption78 ········-·low_disruption
79 ········-·CCE-79 ········-·CCE-
80 ········-·NIST-800-53-AC-17(8)80 ········-·NIST-800-53-AC-17(8)
81 ········-·NIST-800-53-CM-781 ········-·NIST-800-53-CM-7
82 ····82 ····
83 ····-·name:·Ensure·telnetd·is·removed83 ····-·name:·Ensure·inetutils-telnetd·is·removed
84 ······package:84 ······package:
85 ········name="{{item}}"85 ········name="{{item}}"
86 ········state=absent86 ········state=absent
87 ······with_items:87 ······with_items:
88 ········-·telnetd88 ········-·inetutils-telnetd
89 ······tags:89 ······tags:
90 ········-·package_telnetd_removed90 ········-·package_inetutils-telnetd_removed
91 ········-·high_severity91 ········-·high_severity
92 ········-·disable_strategy92 ········-·disable_strategy
93 ········-·low_complexity93 ········-·low_complexity
94 ········-·low_disruption94 ········-·low_disruption
95 ········-·CCE-95 ········-·CCE-
96 ········-·NIST-800-53-AC-17(8)96 ········-·NIST-800-53-AC-17(8)
97 ········-·NIST-800-53-CM-797 ········-·NIST-800-53-CM-7
1.51 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1604-role-anssi_np_nt28_restrictive.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 90, 22 lines modifiedOffset 90, 22 lines modified
90 ········-·disable_strategy90 ········-·disable_strategy
91 ········-·low_complexity91 ········-·low_complexity
92 ········-·low_disruption92 ········-·low_disruption
93 ········-·CCE-93 ········-·CCE-
94 ········-·NIST-800-53-AC-17(8)94 ········-·NIST-800-53-AC-17(8)
95 ········-·NIST-800-53-CM-795 ········-·NIST-800-53-CM-7
96 ····96 ····
97 ····-·name:·Ensure·telnetd·is·removed97 ····-·name:·Ensure·inetutils-telnetd·is·removed
98 ······package:98 ······package:
99 ········name="{{item}}"99 ········name="{{item}}"
100 ········state=absent100 ········state=absent
101 ······with_items:101 ······with_items:
102 ········-·telnetd102 ········-·inetutils-telnetd
103 ······tags:103 ······tags:
104 ········-·package_telnetd_removed104 ········-·package_inetutils-telnetd_removed
105 ········-·high_severity105 ········-·high_severity
106 ········-·disable_strategy106 ········-·disable_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·low_disruption108 ········-·low_disruption
109 ········-·CCE-109 ········-·CCE-
110 ········-·NIST-800-53-AC-17(8)110 ········-·NIST-800-53-AC-17(8)
111 ········-·NIST-800-53-CM-7111 ········-·NIST-800-53-CM-7
1.48 KB
./usr/share/scap-security-guide/ansible/ssg-ubuntu1604-role-standard.yml
Ordering differences only
    
Offset 46, 22 lines modifiedOffset 46, 22 lines modified
46 ········-·package_nis_removed46 ········-·package_nis_removed
47 ········-·low_severity47 ········-·low_severity
48 ········-·disable_strategy48 ········-·disable_strategy
49 ········-·low_complexity49 ········-·low_complexity
50 ········-·low_disruption50 ········-·low_disruption
51 ········-·CCE-51 ········-·CCE-
52 ····52 ····
53 ····-·name:·Ensure·inetutils-telnetd·is·removed53 ····-·name:·Ensure·telnetd·is·removed
54 ······package:54 ······package:
55 ········name="{{item}}"55 ········name="{{item}}"
56 ········state=absent56 ········state=absent
57 ······with_items:57 ······with_items:
58 ········-·inetutils-telnetd58 ········-·telnetd
59 ······tags:59 ······tags:
60 ········-·package_inetutils-telnetd_removed60 ········-·package_telnetd_removed
61 ········-·high_severity61 ········-·high_severity
62 ········-·disable_strategy62 ········-·disable_strategy
63 ········-·low_complexity63 ········-·low_complexity
64 ········-·low_disruption64 ········-·low_disruption
65 ········-·CCE-65 ········-·CCE-
66 ········-·NIST-800-53-AC-17(8)66 ········-·NIST-800-53-AC-17(8)
67 ········-·NIST-800-53-CM-767 ········-·NIST-800-53-CM-7
Offset 92, 22 lines modifiedOffset 92, 22 lines modified
92 ········-·disable_strategy92 ········-·disable_strategy
93 ········-·low_complexity93 ········-·low_complexity
94 ········-·low_disruption94 ········-·low_disruption
95 ········-·CCE-95 ········-·CCE-
96 ········-·NIST-800-53-AC-17(8)96 ········-·NIST-800-53-AC-17(8)
97 ········-·NIST-800-53-CM-797 ········-·NIST-800-53-CM-7
98 ····98 ····
99 ····-·name:·Ensure·telnetd·is·removed99 ····-·name:·Ensure·inetutils-telnetd·is·removed
100 ······package:100 ······package:
101 ········name="{{item}}"101 ········name="{{item}}"
102 ········state=absent102 ········state=absent
103 ······with_items:103 ······with_items:
104 ········-·telnetd104 ········-·inetutils-telnetd
105 ······tags:105 ······tags:
106 ········-·package_telnetd_removed106 ········-·package_inetutils-telnetd_removed
107 ········-·high_severity107 ········-·high_severity
108 ········-·disable_strategy108 ········-·disable_strategy
109 ········-·low_complexity109 ········-·low_complexity
110 ········-·low_disruption110 ········-·low_disruption
111 ········-·CCE-111 ········-·CCE-
112 ········-·NIST-800-53-AC-17(8)112 ········-·NIST-800-53-AC-17(8)
113 ········-·NIST-800-53-CM-7113 ········-·NIST-800-53-CM-7
8.66 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1404-role-anssi_np_nt28_average.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·32)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·32)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/32:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/32:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·32)·for·'package_ntpdate_removed'47 #·BEGIN·fix·(3·/·32)·for·'package_ntpdate_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/32:·'package_ntpdate_removed'")49 (>&2·echo·"Remediating·rule·3/32:·'package_ntpdate_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·ntpdate50 #·CAUTION:·This·remediation·script·will·remove·ntpdate
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 70, 25 lines modifiedOffset 70, 25 lines modified
70 #»      ···remediation·AFTER·testing·on·a·non-production70 #»      ···remediation·AFTER·testing·on·a·non-production
71 #»      ···system!71 #»      ···system!
  
72 apt-get·remove·--purge·telnetd-ssl72 apt-get·remove·--purge·telnetd-ssl
73 #·END·fix·for·'package_telnetd-ssl_removed'73 #·END·fix·for·'package_telnetd-ssl_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(5·/·32)·for·'package_telnetd_removed'75 #·BEGIN·fix·(5·/·32)·for·'package_inetutils-telnetd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·5/32:·'package_telnetd_removed'")77 (>&2·echo·"Remediating·rule·5/32:·'package_inetutils-telnetd_removed'")
78 #·CAUTION:·This·remediation·script·will·remove·telnetd78 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
79 #»      ···from·the·system,·and·may·remove·any·packages79 #»      ···from·the·system,·and·may·remove·any·packages
80 #»      ···that·depend·on·telnetd.·Execute·this80 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
81 #»      ···remediation·AFTER·testing·on·a·non-production81 #»      ···remediation·AFTER·testing·on·a·non-production
82 #»      ···system!82 #»      ···system!
  
83 apt-get·remove·--purge·telnetd83 apt-get·remove·--purge·inetutils-telnetd
84 #·END·fix·for·'package_telnetd_removed'84 #·END·fix·for·'package_inetutils-telnetd_removed'
  
85 ###############################################################################85 ###############################################################################
86 #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed'86 #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed'
87 ###############################################################################87 ###############################################################################
88 (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'")88 (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'")
89 #·FIX·FOR·THIS·RULE·IS·MISSING89 #·FIX·FOR·THIS·RULE·IS·MISSING
90 #·END·fix·for·'package_ntp_installed'90 #·END·fix·for·'package_ntp_installed'
Offset 97, 33 lines modifiedOffset 97, 33 lines modified
97 #·BEGIN·fix·(7·/·32)·for·'sshd_allow_only_protocol2'97 #·BEGIN·fix·(7·/·32)·for·'sshd_allow_only_protocol2'
98 ###############################################################################98 ###############################################################################
99 (>&2·echo·"Remediating·rule·7/32:·'sshd_allow_only_protocol2'")99 (>&2·echo·"Remediating·rule·7/32:·'sshd_allow_only_protocol2'")
100 #·FIX·FOR·THIS·RULE·IS·MISSING100 #·FIX·FOR·THIS·RULE·IS·MISSING
101 #·END·fix·for·'sshd_allow_only_protocol2'101 #·END·fix·for·'sshd_allow_only_protocol2'
  
102 ###############################################################################102 ###############################################################################
103 #·BEGIN·fix·(8·/·32)·for·'sshd_disable_empty_passwords'103 #·BEGIN·fix·(8·/·32)·for·'sshd_set_keepalive'
104 ###############################################################################104 ###############################################################################
105 (>&2·echo·"Remediating·rule·8/32:·'sshd_disable_empty_passwords'")105 (>&2·echo·"Remediating·rule·8/32:·'sshd_set_keepalive'")
106 #·FIX·FOR·THIS·RULE·IS·MISSING106 #·FIX·FOR·THIS·RULE·IS·MISSING
107 #·END·fix·for·'sshd_disable_empty_passwords'107 #·END·fix·for·'sshd_set_keepalive'
  
108 ###############################################################################108 ###############################################################################
109 #·BEGIN·fix·(9·/·32)·for·'sshd_set_idle_timeout'109 #·BEGIN·fix·(9·/·32)·for·'sshd_set_idle_timeout'
110 ###############################################################################110 ###############################################################################
111 (>&2·echo·"Remediating·rule·9/32:·'sshd_set_idle_timeout'")111 (>&2·echo·"Remediating·rule·9/32:·'sshd_set_idle_timeout'")
112 #·FIX·FOR·THIS·RULE·IS·MISSING112 #·FIX·FOR·THIS·RULE·IS·MISSING
113 #·END·fix·for·'sshd_set_idle_timeout'113 #·END·fix·for·'sshd_set_idle_timeout'
  
114 ###############################################################################114 ###############################################################################
115 #·BEGIN·fix·(10·/·32)·for·'sshd_set_keepalive'115 #·BEGIN·fix·(10·/·32)·for·'sshd_disable_empty_passwords'
116 ###############################################################################116 ###############################################################################
117 (>&2·echo·"Remediating·rule·10/32:·'sshd_set_keepalive'")117 (>&2·echo·"Remediating·rule·10/32:·'sshd_disable_empty_passwords'")
118 #·FIX·FOR·THIS·RULE·IS·MISSING118 #·FIX·FOR·THIS·RULE·IS·MISSING
119 #·END·fix·for·'sshd_set_keepalive'119 #·END·fix·for·'sshd_disable_empty_passwords'
  
120 ###############################################################################120 ###############################################################################
121 #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login'121 #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login'
122 ###############################################################################122 ###############################################################################
123 (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'")123 (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'")
124 #·FIX·FOR·THIS·RULE·IS·MISSING124 #·FIX·FOR·THIS·RULE·IS·MISSING
125 #·END·fix·for·'sshd_disable_root_login'125 #·END·fix·for·'sshd_disable_root_login'
Offset 132, 54 lines modifiedOffset 132, 54 lines modified
132 #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated'132 #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated'
133 ###############################################################################133 ###############################################################################
134 (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'")134 (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'")
135 #·FIX·FOR·THIS·RULE·IS·MISSING135 #·FIX·FOR·THIS·RULE·IS·MISSING
136 #·END·fix·for·'apt_conf_disallow_unauthenticated'136 #·END·fix·for·'apt_conf_disallow_unauthenticated'
  
137 ###############################################################################137 ###############################################################################
138 #·BEGIN·fix·(13·/·32)·for·'rsyslog_files_permissions'138 #·BEGIN·fix·(13·/·32)·for·'sudo_remove_no_authenticate'
139 ###############################################################################139 ###############################################################################
140 (>&2·echo·"Remediating·rule·13/32:·'rsyslog_files_permissions'")140 (>&2·echo·"Remediating·rule·13/32:·'sudo_remove_no_authenticate'")
141 #·FIX·FOR·THIS·RULE·IS·MISSING141 #·FIX·FOR·THIS·RULE·IS·MISSING
142 #·END·fix·for·'rsyslog_files_permissions'142 #·END·fix·for·'sudo_remove_no_authenticate'
  
143 ###############################################################################143 ###############################################################################
144 #·BEGIN·fix·(14·/·32)·for·'rsyslog_files_ownership'144 #·BEGIN·fix·(14·/·32)·for·'sudo_remove_nopasswd'
145 ###############################################################################145 ###############################################################################
146 (>&2·echo·"Remediating·rule·14/32:·'rsyslog_files_ownership'")146 (>&2·echo·"Remediating·rule·14/32:·'sudo_remove_nopasswd'")
147 #·FIX·FOR·THIS·RULE·IS·MISSING147 #·FIX·FOR·THIS·RULE·IS·MISSING
148 #·END·fix·for·'rsyslog_files_ownership'148 #·END·fix·for·'sudo_remove_nopasswd'
  
149 ###############################################################################149 ###############################################################################
150 #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_groupownership'150 #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_permissions'
151 ###############################################################################151 ###############################################################################
152 (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_groupownership'")152 (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_permissions'")
153 #·FIX·FOR·THIS·RULE·IS·MISSING153 #·FIX·FOR·THIS·RULE·IS·MISSING
154 #·END·fix·for·'rsyslog_files_groupownership'154 #·END·fix·for·'rsyslog_files_permissions'
  
155 ###############################################################################155 ###############################################################################
156 #·BEGIN·fix·(16·/·32)·for·'ensure_logrotate_activated'156 #·BEGIN·fix·(16·/·32)·for·'rsyslog_files_ownership'
157 ###############################################################################157 ###############################################################################
158 (>&2·echo·"Remediating·rule·16/32:·'ensure_logrotate_activated'")158 (>&2·echo·"Remediating·rule·16/32:·'rsyslog_files_ownership'")
159 #·FIX·FOR·THIS·RULE·IS·MISSING159 #·FIX·FOR·THIS·RULE·IS·MISSING
160 #·END·fix·for·'ensure_logrotate_activated'160 #·END·fix·for·'rsyslog_files_ownership'
  
161 ###############################################################################161 ###############################################################################
162 #·BEGIN·fix·(17·/·32)·for·'sudo_remove_no_authenticate'162 #·BEGIN·fix·(17·/·32)·for·'rsyslog_files_groupownership'
163 ###############################################################################163 ###############################################################################
164 (>&2·echo·"Remediating·rule·17/32:·'sudo_remove_no_authenticate'")164 (>&2·echo·"Remediating·rule·17/32:·'rsyslog_files_groupownership'")
165 #·FIX·FOR·THIS·RULE·IS·MISSING165 #·FIX·FOR·THIS·RULE·IS·MISSING
166 #·END·fix·for·'sudo_remove_no_authenticate'166 #·END·fix·for·'rsyslog_files_groupownership'
  
Max diff block lines reached; 768/8703 bytes (8.82%) of diff not shown.
9.17 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1404-role-anssi_np_nt28_high.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·37)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·37)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/37:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/37:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed'47 #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'")49 (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·ntpdate50 #·CAUTION:·This·remediation·script·will·remove·ntpdate
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 70, 25 lines modifiedOffset 70, 25 lines modified
70 #»      ···remediation·AFTER·testing·on·a·non-production70 #»      ···remediation·AFTER·testing·on·a·non-production
71 #»      ···system!71 #»      ···system!
  
72 apt-get·remove·--purge·telnetd-ssl72 apt-get·remove·--purge·telnetd-ssl
73 #·END·fix·for·'package_telnetd-ssl_removed'73 #·END·fix·for·'package_telnetd-ssl_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(5·/·37)·for·'package_telnetd_removed'75 #·BEGIN·fix·(5·/·37)·for·'package_inetutils-telnetd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·5/37:·'package_telnetd_removed'")77 (>&2·echo·"Remediating·rule·5/37:·'package_inetutils-telnetd_removed'")
78 #·CAUTION:·This·remediation·script·will·remove·telnetd78 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
79 #»      ···from·the·system,·and·may·remove·any·packages79 #»      ···from·the·system,·and·may·remove·any·packages
80 #»      ···that·depend·on·telnetd.·Execute·this80 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
81 #»      ···remediation·AFTER·testing·on·a·non-production81 #»      ···remediation·AFTER·testing·on·a·non-production
82 #»      ···system!82 #»      ···system!
  
83 apt-get·remove·--purge·telnetd83 apt-get·remove·--purge·inetutils-telnetd
84 #·END·fix·for·'package_telnetd_removed'84 #·END·fix·for·'package_inetutils-telnetd_removed'
  
85 ###############################################################################85 ###############################################################################
86 #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed'86 #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed'
87 ###############################################################################87 ###############################################################################
88 (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'")88 (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'")
89 #·FIX·FOR·THIS·RULE·IS·MISSING89 #·FIX·FOR·THIS·RULE·IS·MISSING
90 #·END·fix·for·'package_ntp_installed'90 #·END·fix·for·'package_ntp_installed'
Offset 125, 33 lines modifiedOffset 125, 33 lines modified
125 #·BEGIN·fix·(11·/·37)·for·'sshd_allow_only_protocol2'125 #·BEGIN·fix·(11·/·37)·for·'sshd_allow_only_protocol2'
126 ###############################################################################126 ###############################################################################
127 (>&2·echo·"Remediating·rule·11/37:·'sshd_allow_only_protocol2'")127 (>&2·echo·"Remediating·rule·11/37:·'sshd_allow_only_protocol2'")
128 #·FIX·FOR·THIS·RULE·IS·MISSING128 #·FIX·FOR·THIS·RULE·IS·MISSING
129 #·END·fix·for·'sshd_allow_only_protocol2'129 #·END·fix·for·'sshd_allow_only_protocol2'
  
130 ###############################################################################130 ###############################################################################
131 #·BEGIN·fix·(12·/·37)·for·'sshd_disable_empty_passwords'131 #·BEGIN·fix·(12·/·37)·for·'sshd_set_keepalive'
132 ###############################################################################132 ###############################################################################
133 (>&2·echo·"Remediating·rule·12/37:·'sshd_disable_empty_passwords'")133 (>&2·echo·"Remediating·rule·12/37:·'sshd_set_keepalive'")
134 #·FIX·FOR·THIS·RULE·IS·MISSING134 #·FIX·FOR·THIS·RULE·IS·MISSING
135 #·END·fix·for·'sshd_disable_empty_passwords'135 #·END·fix·for·'sshd_set_keepalive'
  
136 ###############################################################################136 ###############################################################################
137 #·BEGIN·fix·(13·/·37)·for·'sshd_set_idle_timeout'137 #·BEGIN·fix·(13·/·37)·for·'sshd_set_idle_timeout'
138 ###############################################################################138 ###############################################################################
139 (>&2·echo·"Remediating·rule·13/37:·'sshd_set_idle_timeout'")139 (>&2·echo·"Remediating·rule·13/37:·'sshd_set_idle_timeout'")
140 #·FIX·FOR·THIS·RULE·IS·MISSING140 #·FIX·FOR·THIS·RULE·IS·MISSING
141 #·END·fix·for·'sshd_set_idle_timeout'141 #·END·fix·for·'sshd_set_idle_timeout'
  
142 ###############################################################################142 ###############################################################################
143 #·BEGIN·fix·(14·/·37)·for·'sshd_set_keepalive'143 #·BEGIN·fix·(14·/·37)·for·'sshd_disable_empty_passwords'
144 ###############################################################################144 ###############################################################################
145 (>&2·echo·"Remediating·rule·14/37:·'sshd_set_keepalive'")145 (>&2·echo·"Remediating·rule·14/37:·'sshd_disable_empty_passwords'")
146 #·FIX·FOR·THIS·RULE·IS·MISSING146 #·FIX·FOR·THIS·RULE·IS·MISSING
147 #·END·fix·for·'sshd_set_keepalive'147 #·END·fix·for·'sshd_disable_empty_passwords'
  
148 ###############################################################################148 ###############################################################################
149 #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login'149 #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login'
150 ###############################################################################150 ###############################################################################
151 (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'")151 (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'")
152 #·FIX·FOR·THIS·RULE·IS·MISSING152 #·FIX·FOR·THIS·RULE·IS·MISSING
153 #·END·fix·for·'sshd_disable_root_login'153 #·END·fix·for·'sshd_disable_root_login'
Offset 160, 61 lines modifiedOffset 160, 61 lines modified
160 #·BEGIN·fix·(16·/·37)·for·'apt_conf_disallow_unauthenticated'160 #·BEGIN·fix·(16·/·37)·for·'apt_conf_disallow_unauthenticated'
161 ###############################################################################161 ###############################################################################
162 (>&2·echo·"Remediating·rule·16/37:·'apt_conf_disallow_unauthenticated'")162 (>&2·echo·"Remediating·rule·16/37:·'apt_conf_disallow_unauthenticated'")
163 #·FIX·FOR·THIS·RULE·IS·MISSING163 #·FIX·FOR·THIS·RULE·IS·MISSING
164 #·END·fix·for·'apt_conf_disallow_unauthenticated'164 #·END·fix·for·'apt_conf_disallow_unauthenticated'
  
165 ###############################################################################165 ###############################################################################
166 #·BEGIN·fix·(17·/·37)·for·'rsyslog_files_permissions'166 #·BEGIN·fix·(17·/·37)·for·'grub2_enable_iommu_force'
167 ###############################################################################167 ###############################################################################
168 (>&2·echo·"Remediating·rule·17/37:·'rsyslog_files_permissions'")168 (>&2·echo·"Remediating·rule·17/37:·'grub2_enable_iommu_force'")
169 #·FIX·FOR·THIS·RULE·IS·MISSING169 #·FIX·FOR·THIS·RULE·IS·MISSING
170 #·END·fix·for·'rsyslog_files_permissions'170 #·END·fix·for·'grub2_enable_iommu_force'
  
171 ###############################################################################171 ###############################################################################
172 #·BEGIN·fix·(18·/·37)·for·'rsyslog_files_ownership'172 #·BEGIN·fix·(18·/·37)·for·'sudo_remove_no_authenticate'
173 ###############################################################################173 ###############################################################################
174 (>&2·echo·"Remediating·rule·18/37:·'rsyslog_files_ownership'")174 (>&2·echo·"Remediating·rule·18/37:·'sudo_remove_no_authenticate'")
175 #·FIX·FOR·THIS·RULE·IS·MISSING175 #·FIX·FOR·THIS·RULE·IS·MISSING
176 #·END·fix·for·'rsyslog_files_ownership'176 #·END·fix·for·'sudo_remove_no_authenticate'
  
177 ###############################################################################177 ###############################################################################
178 #·BEGIN·fix·(19·/·37)·for·'rsyslog_files_groupownership'178 #·BEGIN·fix·(19·/·37)·for·'sudo_remove_nopasswd'
179 ###############################################################################179 ###############################################################################
180 (>&2·echo·"Remediating·rule·19/37:·'rsyslog_files_groupownership'")180 (>&2·echo·"Remediating·rule·19/37:·'sudo_remove_nopasswd'")
181 #·FIX·FOR·THIS·RULE·IS·MISSING181 #·FIX·FOR·THIS·RULE·IS·MISSING
182 #·END·fix·for·'rsyslog_files_groupownership'182 #·END·fix·for·'sudo_remove_nopasswd'
  
183 ###############################################################################183 ###############################################################################
184 #·BEGIN·fix·(20·/·37)·for·'ensure_logrotate_activated'184 #·BEGIN·fix·(20·/·37)·for·'rsyslog_files_permissions'
185 ###############################################################################185 ###############################################################################
186 (>&2·echo·"Remediating·rule·20/37:·'ensure_logrotate_activated'")186 (>&2·echo·"Remediating·rule·20/37:·'rsyslog_files_permissions'")
187 #·FIX·FOR·THIS·RULE·IS·MISSING187 #·FIX·FOR·THIS·RULE·IS·MISSING
188 #·END·fix·for·'ensure_logrotate_activated'188 #·END·fix·for·'rsyslog_files_permissions'
  
189 ###############################################################################189 ###############################################################################
190 #·BEGIN·fix·(21·/·37)·for·'grub2_enable_iommu_force'190 #·BEGIN·fix·(21·/·37)·for·'rsyslog_files_ownership'
191 ###############################################################################191 ###############################################################################
192 (>&2·echo·"Remediating·rule·21/37:·'grub2_enable_iommu_force'")192 (>&2·echo·"Remediating·rule·21/37:·'rsyslog_files_ownership'")
193 #·FIX·FOR·THIS·RULE·IS·MISSING193 #·FIX·FOR·THIS·RULE·IS·MISSING
194 #·END·fix·for·'grub2_enable_iommu_force'194 #·END·fix·for·'rsyslog_files_ownership'
  
Max diff block lines reached; 1307/9231 bytes (14.16%) of diff not shown.
3.03 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1404-role-anssi_np_nt28_minimal.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·11)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·11)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/11:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/11:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·11)·for·'package_telnetd-ssl_removed'47 #·BEGIN·fix·(3·/·11)·for·'package_telnetd-ssl_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/11:·'package_telnetd-ssl_removed'")49 (>&2·echo·"Remediating·rule·3/11:·'package_telnetd-ssl_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl50 #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 57, 25 lines modifiedOffset 57, 25 lines modified
57 #»      ···remediation·AFTER·testing·on·a·non-production57 #»      ···remediation·AFTER·testing·on·a·non-production
58 #»      ···system!58 #»      ···system!
  
59 apt-get·remove·--purge·telnetd-ssl59 apt-get·remove·--purge·telnetd-ssl
60 #·END·fix·for·'package_telnetd-ssl_removed'60 #·END·fix·for·'package_telnetd-ssl_removed'
  
61 ###############################################################################61 ###############################################################################
62 #·BEGIN·fix·(4·/·11)·for·'package_telnetd_removed'62 #·BEGIN·fix·(4·/·11)·for·'package_inetutils-telnetd_removed'
63 ###############################################################################63 ###############################################################################
64 (>&2·echo·"Remediating·rule·4/11:·'package_telnetd_removed'")64 (>&2·echo·"Remediating·rule·4/11:·'package_inetutils-telnetd_removed'")
65 #·CAUTION:·This·remediation·script·will·remove·telnetd65 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
66 #»      ···from·the·system,·and·may·remove·any·packages66 #»      ···from·the·system,·and·may·remove·any·packages
67 #»      ···that·depend·on·telnetd.·Execute·this67 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
68 #»      ···remediation·AFTER·testing·on·a·non-production68 #»      ···remediation·AFTER·testing·on·a·non-production
69 #»      ···system!69 #»      ···system!
  
70 apt-get·remove·--purge·telnetd70 apt-get·remove·--purge·inetutils-telnetd
71 #·END·fix·for·'package_telnetd_removed'71 #·END·fix·for·'package_inetutils-telnetd_removed'
  
72 ###############################################################################72 ###############################################################################
73 #·BEGIN·fix·(5·/·11)·for·'apt_conf_disallow_unauthenticated'73 #·BEGIN·fix·(5·/·11)·for·'apt_conf_disallow_unauthenticated'
74 ###############################################################################74 ###############################################################################
75 (>&2·echo·"Remediating·rule·5/11:·'apt_conf_disallow_unauthenticated'")75 (>&2·echo·"Remediating·rule·5/11:·'apt_conf_disallow_unauthenticated'")
76 #·FIX·FOR·THIS·RULE·IS·MISSING76 #·FIX·FOR·THIS·RULE·IS·MISSING
77 #·END·fix·for·'apt_conf_disallow_unauthenticated'77 #·END·fix·for·'apt_conf_disallow_unauthenticated'
8.67 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1404-role-anssi_np_nt28_restrictive.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·36)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/36:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'47 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")49 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·ntpdate50 #·CAUTION:·This·remediation·script·will·remove·ntpdate
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 70, 25 lines modifiedOffset 70, 25 lines modified
70 #»      ···remediation·AFTER·testing·on·a·non-production70 #»      ···remediation·AFTER·testing·on·a·non-production
71 #»      ···system!71 #»      ···system!
  
72 apt-get·remove·--purge·telnetd-ssl72 apt-get·remove·--purge·telnetd-ssl
73 #·END·fix·for·'package_telnetd-ssl_removed'73 #·END·fix·for·'package_telnetd-ssl_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed'75 #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'")77 (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'")
78 #·CAUTION:·This·remediation·script·will·remove·telnetd78 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
79 #»      ···from·the·system,·and·may·remove·any·packages79 #»      ···from·the·system,·and·may·remove·any·packages
80 #»      ···that·depend·on·telnetd.·Execute·this80 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
81 #»      ···remediation·AFTER·testing·on·a·non-production81 #»      ···remediation·AFTER·testing·on·a·non-production
82 #»      ···system!82 #»      ···system!
  
83 apt-get·remove·--purge·telnetd83 apt-get·remove·--purge·inetutils-telnetd
84 #·END·fix·for·'package_telnetd_removed'84 #·END·fix·for·'package_inetutils-telnetd_removed'
  
85 ###############################################################################85 ###############################################################################
86 #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed'86 #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed'
87 ###############################################################################87 ###############################################################################
88 (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'")88 (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'")
89 #·FIX·FOR·THIS·RULE·IS·MISSING89 #·FIX·FOR·THIS·RULE·IS·MISSING
90 #·END·fix·for·'package_ntp_installed'90 #·END·fix·for·'package_ntp_installed'
Offset 125, 33 lines modifiedOffset 125, 33 lines modified
125 #·BEGIN·fix·(11·/·36)·for·'sshd_allow_only_protocol2'125 #·BEGIN·fix·(11·/·36)·for·'sshd_allow_only_protocol2'
126 ###############################################################################126 ###############################################################################
127 (>&2·echo·"Remediating·rule·11/36:·'sshd_allow_only_protocol2'")127 (>&2·echo·"Remediating·rule·11/36:·'sshd_allow_only_protocol2'")
128 #·FIX·FOR·THIS·RULE·IS·MISSING128 #·FIX·FOR·THIS·RULE·IS·MISSING
129 #·END·fix·for·'sshd_allow_only_protocol2'129 #·END·fix·for·'sshd_allow_only_protocol2'
  
130 ###############################################################################130 ###############################################################################
131 #·BEGIN·fix·(12·/·36)·for·'sshd_disable_empty_passwords'131 #·BEGIN·fix·(12·/·36)·for·'sshd_set_keepalive'
132 ###############################################################################132 ###############################################################################
133 (>&2·echo·"Remediating·rule·12/36:·'sshd_disable_empty_passwords'")133 (>&2·echo·"Remediating·rule·12/36:·'sshd_set_keepalive'")
134 #·FIX·FOR·THIS·RULE·IS·MISSING134 #·FIX·FOR·THIS·RULE·IS·MISSING
135 #·END·fix·for·'sshd_disable_empty_passwords'135 #·END·fix·for·'sshd_set_keepalive'
  
136 ###############################################################################136 ###############################################################################
137 #·BEGIN·fix·(13·/·36)·for·'sshd_set_idle_timeout'137 #·BEGIN·fix·(13·/·36)·for·'sshd_set_idle_timeout'
138 ###############################################################################138 ###############################################################################
139 (>&2·echo·"Remediating·rule·13/36:·'sshd_set_idle_timeout'")139 (>&2·echo·"Remediating·rule·13/36:·'sshd_set_idle_timeout'")
140 #·FIX·FOR·THIS·RULE·IS·MISSING140 #·FIX·FOR·THIS·RULE·IS·MISSING
141 #·END·fix·for·'sshd_set_idle_timeout'141 #·END·fix·for·'sshd_set_idle_timeout'
  
142 ###############################################################################142 ###############################################################################
143 #·BEGIN·fix·(14·/·36)·for·'sshd_set_keepalive'143 #·BEGIN·fix·(14·/·36)·for·'sshd_disable_empty_passwords'
144 ###############################################################################144 ###############################################################################
145 (>&2·echo·"Remediating·rule·14/36:·'sshd_set_keepalive'")145 (>&2·echo·"Remediating·rule·14/36:·'sshd_disable_empty_passwords'")
146 #·FIX·FOR·THIS·RULE·IS·MISSING146 #·FIX·FOR·THIS·RULE·IS·MISSING
147 #·END·fix·for·'sshd_set_keepalive'147 #·END·fix·for·'sshd_disable_empty_passwords'
  
148 ###############################################################################148 ###############################################################################
149 #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login'149 #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login'
150 ###############################################################################150 ###############################################################################
151 (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'")151 (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'")
152 #·FIX·FOR·THIS·RULE·IS·MISSING152 #·FIX·FOR·THIS·RULE·IS·MISSING
153 #·END·fix·for·'sshd_disable_root_login'153 #·END·fix·for·'sshd_disable_root_login'
Offset 160, 54 lines modifiedOffset 160, 54 lines modified
160 #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated'160 #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated'
161 ###############################################################################161 ###############################################################################
162 (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'")162 (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'")
163 #·FIX·FOR·THIS·RULE·IS·MISSING163 #·FIX·FOR·THIS·RULE·IS·MISSING
164 #·END·fix·for·'apt_conf_disallow_unauthenticated'164 #·END·fix·for·'apt_conf_disallow_unauthenticated'
  
165 ###############################################################################165 ###############################################################################
166 #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_permissions'166 #·BEGIN·fix·(17·/·36)·for·'sudo_remove_no_authenticate'
167 ###############################################################################167 ###############################################################################
168 (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_permissions'")168 (>&2·echo·"Remediating·rule·17/36:·'sudo_remove_no_authenticate'")
169 #·FIX·FOR·THIS·RULE·IS·MISSING169 #·FIX·FOR·THIS·RULE·IS·MISSING
170 #·END·fix·for·'rsyslog_files_permissions'170 #·END·fix·for·'sudo_remove_no_authenticate'
  
171 ###############################################################################171 ###############################################################################
172 #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership'172 #·BEGIN·fix·(18·/·36)·for·'sudo_remove_nopasswd'
173 ###############################################################################173 ###############################################################################
174 (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'")174 (>&2·echo·"Remediating·rule·18/36:·'sudo_remove_nopasswd'")
175 #·FIX·FOR·THIS·RULE·IS·MISSING175 #·FIX·FOR·THIS·RULE·IS·MISSING
176 #·END·fix·for·'rsyslog_files_ownership'176 #·END·fix·for·'sudo_remove_nopasswd'
  
177 ###############################################################################177 ###############################################################################
178 #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_groupownership'178 #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_permissions'
179 ###############################################################################179 ###############################################################################
180 (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_groupownership'")180 (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_permissions'")
181 #·FIX·FOR·THIS·RULE·IS·MISSING181 #·FIX·FOR·THIS·RULE·IS·MISSING
182 #·END·fix·for·'rsyslog_files_groupownership'182 #·END·fix·for·'rsyslog_files_permissions'
  
183 ###############################################################################183 ###############################################################################
184 #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated'184 #·BEGIN·fix·(20·/·36)·for·'rsyslog_files_ownership'
185 ###############################################################################185 ###############################################################################
186 (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'")186 (>&2·echo·"Remediating·rule·20/36:·'rsyslog_files_ownership'")
187 #·FIX·FOR·THIS·RULE·IS·MISSING187 #·FIX·FOR·THIS·RULE·IS·MISSING
188 #·END·fix·for·'ensure_logrotate_activated'188 #·END·fix·for·'rsyslog_files_ownership'
  
189 ###############################################################################189 ###############################################################################
190 #·BEGIN·fix·(21·/·36)·for·'sudo_remove_no_authenticate'190 #·BEGIN·fix·(21·/·36)·for·'rsyslog_files_groupownership'
191 ###############################################################################191 ###############################################################################
192 (>&2·echo·"Remediating·rule·21/36:·'sudo_remove_no_authenticate'")192 (>&2·echo·"Remediating·rule·21/36:·'rsyslog_files_groupownership'")
193 #·FIX·FOR·THIS·RULE·IS·MISSING193 #·FIX·FOR·THIS·RULE·IS·MISSING
194 #·END·fix·for·'sudo_remove_no_authenticate'194 #·END·fix·for·'rsyslog_files_groupownership'
  
Max diff block lines reached; 768/8713 bytes (8.81%) of diff not shown.
4.93 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1404-role-standard.sh
    
Offset 33, 25 lines modifiedOffset 33, 25 lines modified
33 #»      ···remediation·AFTER·testing·on·a·non-production33 #»      ···remediation·AFTER·testing·on·a·non-production
34 #»      ···system!34 #»      ···system!
  
35 apt-get·remove·--purge·nis35 apt-get·remove·--purge·nis
36 #·END·fix·for·'package_nis_removed'36 #·END·fix·for·'package_nis_removed'
  
37 ###############################################################################37 ###############################################################################
38 #·BEGIN·fix·(2·/·36)·for·'package_inetutils-telnetd_removed'38 #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed'
39 ###############################################################################39 ###############################################################################
40 (>&2·echo·"Remediating·rule·2/36:·'package_inetutils-telnetd_removed'")40 (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'")
41 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd41 #·CAUTION:·This·remediation·script·will·remove·telnetd
42 #»      ···from·the·system,·and·may·remove·any·packages42 #»      ···from·the·system,·and·may·remove·any·packages
43 #»      ···that·depend·on·inetutils-telnetd.·Execute·this43 #»      ···that·depend·on·telnetd.·Execute·this
44 #»      ···remediation·AFTER·testing·on·a·non-production44 #»      ···remediation·AFTER·testing·on·a·non-production
45 #»      ···system!45 #»      ···system!
  
46 apt-get·remove·--purge·inetutils-telnetd46 apt-get·remove·--purge·telnetd
47 #·END·fix·for·'package_inetutils-telnetd_removed'47 #·END·fix·for·'package_telnetd_removed'
  
48 ###############################################################################48 ###############################################################################
49 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'49 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'
50 ###############################################################################50 ###############################################################################
51 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")51 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")
52 #·CAUTION:·This·remediation·script·will·remove·ntpdate52 #·CAUTION:·This·remediation·script·will·remove·ntpdate
53 #»      ···from·the·system,·and·may·remove·any·packages53 #»      ···from·the·system,·and·may·remove·any·packages
Offset 72, 25 lines modifiedOffset 72, 25 lines modified
72 #»      ···remediation·AFTER·testing·on·a·non-production72 #»      ···remediation·AFTER·testing·on·a·non-production
73 #»      ···system!73 #»      ···system!
  
74 apt-get·remove·--purge·telnetd-ssl74 apt-get·remove·--purge·telnetd-ssl
75 #·END·fix·for·'package_telnetd-ssl_removed'75 #·END·fix·for·'package_telnetd-ssl_removed'
  
76 ###############################################################################76 ###############################################################################
77 #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed'77 #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed'
78 ###############################################################################78 ###############################################################################
79 (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'")79 (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'")
80 #·CAUTION:·This·remediation·script·will·remove·telnetd80 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
81 #»      ···from·the·system,·and·may·remove·any·packages81 #»      ···from·the·system,·and·may·remove·any·packages
82 #»      ···that·depend·on·telnetd.·Execute·this82 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
83 #»      ···remediation·AFTER·testing·on·a·non-production83 #»      ···remediation·AFTER·testing·on·a·non-production
84 #»      ···system!84 #»      ···system!
  
85 apt-get·remove·--purge·telnetd85 apt-get·remove·--purge·inetutils-telnetd
86 #·END·fix·for·'package_telnetd_removed'86 #·END·fix·for·'package_inetutils-telnetd_removed'
  
87 ###############################################################################87 ###############################################################################
88 #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled'88 #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled'
89 ###############################################################################89 ###############################################################################
90 (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'")90 (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'")
91 #·FIX·FOR·THIS·RULE·IS·MISSING91 #·FIX·FOR·THIS·RULE·IS·MISSING
92 #·END·fix·for·'service_cron_enabled'92 #·END·fix·for·'service_cron_enabled'
Offset 134, 33 lines modifiedOffset 134, 33 lines modified
134 #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2'134 #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2'
135 ###############################################################################135 ###############################################################################
136 (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'")136 (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'")
137 #·FIX·FOR·THIS·RULE·IS·MISSING137 #·FIX·FOR·THIS·RULE·IS·MISSING
138 #·END·fix·for·'sshd_allow_only_protocol2'138 #·END·fix·for·'sshd_allow_only_protocol2'
  
139 ###############################################################################139 ###############################################################################
140 #·BEGIN·fix·(13·/·36)·for·'sshd_disable_empty_passwords'140 #·BEGIN·fix·(13·/·36)·for·'sshd_set_keepalive'
141 ###############################################################################141 ###############################################################################
142 (>&2·echo·"Remediating·rule·13/36:·'sshd_disable_empty_passwords'")142 (>&2·echo·"Remediating·rule·13/36:·'sshd_set_keepalive'")
143 #·FIX·FOR·THIS·RULE·IS·MISSING143 #·FIX·FOR·THIS·RULE·IS·MISSING
144 #·END·fix·for·'sshd_disable_empty_passwords'144 #·END·fix·for·'sshd_set_keepalive'
  
145 ###############################################################################145 ###############################################################################
146 #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout'146 #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout'
147 ###############################################################################147 ###############################################################################
148 (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'")148 (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'")
149 #·FIX·FOR·THIS·RULE·IS·MISSING149 #·FIX·FOR·THIS·RULE·IS·MISSING
150 #·END·fix·for·'sshd_set_idle_timeout'150 #·END·fix·for·'sshd_set_idle_timeout'
  
151 ###############################################################################151 ###############################################################################
152 #·BEGIN·fix·(15·/·36)·for·'sshd_set_keepalive'152 #·BEGIN·fix·(15·/·36)·for·'sshd_disable_empty_passwords'
153 ###############################################################################153 ###############################################################################
154 (>&2·echo·"Remediating·rule·15/36:·'sshd_set_keepalive'")154 (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_empty_passwords'")
155 #·FIX·FOR·THIS·RULE·IS·MISSING155 #·FIX·FOR·THIS·RULE·IS·MISSING
156 #·END·fix·for·'sshd_set_keepalive'156 #·END·fix·for·'sshd_disable_empty_passwords'
  
157 ###############################################################################157 ###############################################################################
158 #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login'158 #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login'
159 ###############################################################################159 ###############################################################################
160 (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'")160 (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'")
161 #·FIX·FOR·THIS·RULE·IS·MISSING161 #·FIX·FOR·THIS·RULE·IS·MISSING
162 #·END·fix·for·'sshd_disable_root_login'162 #·END·fix·for·'sshd_disable_root_login'
8.66 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1604-role-anssi_np_nt28_average.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·32)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·32)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/32:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/32:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·32)·for·'package_ntpdate_removed'47 #·BEGIN·fix·(3·/·32)·for·'package_ntpdate_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/32:·'package_ntpdate_removed'")49 (>&2·echo·"Remediating·rule·3/32:·'package_ntpdate_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·ntpdate50 #·CAUTION:·This·remediation·script·will·remove·ntpdate
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 70, 25 lines modifiedOffset 70, 25 lines modified
70 #»      ···remediation·AFTER·testing·on·a·non-production70 #»      ···remediation·AFTER·testing·on·a·non-production
71 #»      ···system!71 #»      ···system!
  
72 apt-get·remove·--purge·telnetd-ssl72 apt-get·remove·--purge·telnetd-ssl
73 #·END·fix·for·'package_telnetd-ssl_removed'73 #·END·fix·for·'package_telnetd-ssl_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(5·/·32)·for·'package_telnetd_removed'75 #·BEGIN·fix·(5·/·32)·for·'package_inetutils-telnetd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·5/32:·'package_telnetd_removed'")77 (>&2·echo·"Remediating·rule·5/32:·'package_inetutils-telnetd_removed'")
78 #·CAUTION:·This·remediation·script·will·remove·telnetd78 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
79 #»      ···from·the·system,·and·may·remove·any·packages79 #»      ···from·the·system,·and·may·remove·any·packages
80 #»      ···that·depend·on·telnetd.·Execute·this80 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
81 #»      ···remediation·AFTER·testing·on·a·non-production81 #»      ···remediation·AFTER·testing·on·a·non-production
82 #»      ···system!82 #»      ···system!
  
83 apt-get·remove·--purge·telnetd83 apt-get·remove·--purge·inetutils-telnetd
84 #·END·fix·for·'package_telnetd_removed'84 #·END·fix·for·'package_inetutils-telnetd_removed'
  
85 ###############################################################################85 ###############################################################################
86 #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed'86 #·BEGIN·fix·(6·/·32)·for·'package_ntp_installed'
87 ###############################################################################87 ###############################################################################
88 (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'")88 (>&2·echo·"Remediating·rule·6/32:·'package_ntp_installed'")
89 #·FIX·FOR·THIS·RULE·IS·MISSING89 #·FIX·FOR·THIS·RULE·IS·MISSING
90 #·END·fix·for·'package_ntp_installed'90 #·END·fix·for·'package_ntp_installed'
Offset 97, 33 lines modifiedOffset 97, 33 lines modified
97 #·BEGIN·fix·(7·/·32)·for·'sshd_allow_only_protocol2'97 #·BEGIN·fix·(7·/·32)·for·'sshd_allow_only_protocol2'
98 ###############################################################################98 ###############################################################################
99 (>&2·echo·"Remediating·rule·7/32:·'sshd_allow_only_protocol2'")99 (>&2·echo·"Remediating·rule·7/32:·'sshd_allow_only_protocol2'")
100 #·FIX·FOR·THIS·RULE·IS·MISSING100 #·FIX·FOR·THIS·RULE·IS·MISSING
101 #·END·fix·for·'sshd_allow_only_protocol2'101 #·END·fix·for·'sshd_allow_only_protocol2'
  
102 ###############################################################################102 ###############################################################################
103 #·BEGIN·fix·(8·/·32)·for·'sshd_disable_empty_passwords'103 #·BEGIN·fix·(8·/·32)·for·'sshd_set_keepalive'
104 ###############################################################################104 ###############################################################################
105 (>&2·echo·"Remediating·rule·8/32:·'sshd_disable_empty_passwords'")105 (>&2·echo·"Remediating·rule·8/32:·'sshd_set_keepalive'")
106 #·FIX·FOR·THIS·RULE·IS·MISSING106 #·FIX·FOR·THIS·RULE·IS·MISSING
107 #·END·fix·for·'sshd_disable_empty_passwords'107 #·END·fix·for·'sshd_set_keepalive'
  
108 ###############################################################################108 ###############################################################################
109 #·BEGIN·fix·(9·/·32)·for·'sshd_set_idle_timeout'109 #·BEGIN·fix·(9·/·32)·for·'sshd_set_idle_timeout'
110 ###############################################################################110 ###############################################################################
111 (>&2·echo·"Remediating·rule·9/32:·'sshd_set_idle_timeout'")111 (>&2·echo·"Remediating·rule·9/32:·'sshd_set_idle_timeout'")
112 #·FIX·FOR·THIS·RULE·IS·MISSING112 #·FIX·FOR·THIS·RULE·IS·MISSING
113 #·END·fix·for·'sshd_set_idle_timeout'113 #·END·fix·for·'sshd_set_idle_timeout'
  
114 ###############################################################################114 ###############################################################################
115 #·BEGIN·fix·(10·/·32)·for·'sshd_set_keepalive'115 #·BEGIN·fix·(10·/·32)·for·'sshd_disable_empty_passwords'
116 ###############################################################################116 ###############################################################################
117 (>&2·echo·"Remediating·rule·10/32:·'sshd_set_keepalive'")117 (>&2·echo·"Remediating·rule·10/32:·'sshd_disable_empty_passwords'")
118 #·FIX·FOR·THIS·RULE·IS·MISSING118 #·FIX·FOR·THIS·RULE·IS·MISSING
119 #·END·fix·for·'sshd_set_keepalive'119 #·END·fix·for·'sshd_disable_empty_passwords'
  
120 ###############################################################################120 ###############################################################################
121 #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login'121 #·BEGIN·fix·(11·/·32)·for·'sshd_disable_root_login'
122 ###############################################################################122 ###############################################################################
123 (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'")123 (>&2·echo·"Remediating·rule·11/32:·'sshd_disable_root_login'")
124 #·FIX·FOR·THIS·RULE·IS·MISSING124 #·FIX·FOR·THIS·RULE·IS·MISSING
125 #·END·fix·for·'sshd_disable_root_login'125 #·END·fix·for·'sshd_disable_root_login'
Offset 132, 54 lines modifiedOffset 132, 54 lines modified
132 #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated'132 #·BEGIN·fix·(12·/·32)·for·'apt_conf_disallow_unauthenticated'
133 ###############################################################################133 ###############################################################################
134 (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'")134 (>&2·echo·"Remediating·rule·12/32:·'apt_conf_disallow_unauthenticated'")
135 #·FIX·FOR·THIS·RULE·IS·MISSING135 #·FIX·FOR·THIS·RULE·IS·MISSING
136 #·END·fix·for·'apt_conf_disallow_unauthenticated'136 #·END·fix·for·'apt_conf_disallow_unauthenticated'
  
137 ###############################################################################137 ###############################################################################
138 #·BEGIN·fix·(13·/·32)·for·'rsyslog_files_permissions'138 #·BEGIN·fix·(13·/·32)·for·'sudo_remove_no_authenticate'
139 ###############################################################################139 ###############################################################################
140 (>&2·echo·"Remediating·rule·13/32:·'rsyslog_files_permissions'")140 (>&2·echo·"Remediating·rule·13/32:·'sudo_remove_no_authenticate'")
141 #·FIX·FOR·THIS·RULE·IS·MISSING141 #·FIX·FOR·THIS·RULE·IS·MISSING
142 #·END·fix·for·'rsyslog_files_permissions'142 #·END·fix·for·'sudo_remove_no_authenticate'
  
143 ###############################################################################143 ###############################################################################
144 #·BEGIN·fix·(14·/·32)·for·'rsyslog_files_ownership'144 #·BEGIN·fix·(14·/·32)·for·'sudo_remove_nopasswd'
145 ###############################################################################145 ###############################################################################
146 (>&2·echo·"Remediating·rule·14/32:·'rsyslog_files_ownership'")146 (>&2·echo·"Remediating·rule·14/32:·'sudo_remove_nopasswd'")
147 #·FIX·FOR·THIS·RULE·IS·MISSING147 #·FIX·FOR·THIS·RULE·IS·MISSING
148 #·END·fix·for·'rsyslog_files_ownership'148 #·END·fix·for·'sudo_remove_nopasswd'
  
149 ###############################################################################149 ###############################################################################
150 #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_groupownership'150 #·BEGIN·fix·(15·/·32)·for·'rsyslog_files_permissions'
151 ###############################################################################151 ###############################################################################
152 (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_groupownership'")152 (>&2·echo·"Remediating·rule·15/32:·'rsyslog_files_permissions'")
153 #·FIX·FOR·THIS·RULE·IS·MISSING153 #·FIX·FOR·THIS·RULE·IS·MISSING
154 #·END·fix·for·'rsyslog_files_groupownership'154 #·END·fix·for·'rsyslog_files_permissions'
  
155 ###############################################################################155 ###############################################################################
156 #·BEGIN·fix·(16·/·32)·for·'ensure_logrotate_activated'156 #·BEGIN·fix·(16·/·32)·for·'rsyslog_files_ownership'
157 ###############################################################################157 ###############################################################################
158 (>&2·echo·"Remediating·rule·16/32:·'ensure_logrotate_activated'")158 (>&2·echo·"Remediating·rule·16/32:·'rsyslog_files_ownership'")
159 #·FIX·FOR·THIS·RULE·IS·MISSING159 #·FIX·FOR·THIS·RULE·IS·MISSING
160 #·END·fix·for·'ensure_logrotate_activated'160 #·END·fix·for·'rsyslog_files_ownership'
  
161 ###############################################################################161 ###############################################################################
162 #·BEGIN·fix·(17·/·32)·for·'sudo_remove_no_authenticate'162 #·BEGIN·fix·(17·/·32)·for·'rsyslog_files_groupownership'
163 ###############################################################################163 ###############################################################################
164 (>&2·echo·"Remediating·rule·17/32:·'sudo_remove_no_authenticate'")164 (>&2·echo·"Remediating·rule·17/32:·'rsyslog_files_groupownership'")
165 #·FIX·FOR·THIS·RULE·IS·MISSING165 #·FIX·FOR·THIS·RULE·IS·MISSING
166 #·END·fix·for·'sudo_remove_no_authenticate'166 #·END·fix·for·'rsyslog_files_groupownership'
  
Max diff block lines reached; 768/8703 bytes (8.82%) of diff not shown.
9.17 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1604-role-anssi_np_nt28_high.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·37)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·37)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/37:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/37:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed'47 #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'")49 (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·ntpdate50 #·CAUTION:·This·remediation·script·will·remove·ntpdate
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 70, 25 lines modifiedOffset 70, 25 lines modified
70 #»      ···remediation·AFTER·testing·on·a·non-production70 #»      ···remediation·AFTER·testing·on·a·non-production
71 #»      ···system!71 #»      ···system!
  
72 apt-get·remove·--purge·telnetd-ssl72 apt-get·remove·--purge·telnetd-ssl
73 #·END·fix·for·'package_telnetd-ssl_removed'73 #·END·fix·for·'package_telnetd-ssl_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(5·/·37)·for·'package_telnetd_removed'75 #·BEGIN·fix·(5·/·37)·for·'package_inetutils-telnetd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·5/37:·'package_telnetd_removed'")77 (>&2·echo·"Remediating·rule·5/37:·'package_inetutils-telnetd_removed'")
78 #·CAUTION:·This·remediation·script·will·remove·telnetd78 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
79 #»      ···from·the·system,·and·may·remove·any·packages79 #»      ···from·the·system,·and·may·remove·any·packages
80 #»      ···that·depend·on·telnetd.·Execute·this80 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
81 #»      ···remediation·AFTER·testing·on·a·non-production81 #»      ···remediation·AFTER·testing·on·a·non-production
82 #»      ···system!82 #»      ···system!
  
83 apt-get·remove·--purge·telnetd83 apt-get·remove·--purge·inetutils-telnetd
84 #·END·fix·for·'package_telnetd_removed'84 #·END·fix·for·'package_inetutils-telnetd_removed'
  
85 ###############################################################################85 ###############################################################################
86 #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed'86 #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed'
87 ###############################################################################87 ###############################################################################
88 (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'")88 (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'")
89 #·FIX·FOR·THIS·RULE·IS·MISSING89 #·FIX·FOR·THIS·RULE·IS·MISSING
90 #·END·fix·for·'package_ntp_installed'90 #·END·fix·for·'package_ntp_installed'
Offset 125, 33 lines modifiedOffset 125, 33 lines modified
125 #·BEGIN·fix·(11·/·37)·for·'sshd_allow_only_protocol2'125 #·BEGIN·fix·(11·/·37)·for·'sshd_allow_only_protocol2'
126 ###############################################################################126 ###############################################################################
127 (>&2·echo·"Remediating·rule·11/37:·'sshd_allow_only_protocol2'")127 (>&2·echo·"Remediating·rule·11/37:·'sshd_allow_only_protocol2'")
128 #·FIX·FOR·THIS·RULE·IS·MISSING128 #·FIX·FOR·THIS·RULE·IS·MISSING
129 #·END·fix·for·'sshd_allow_only_protocol2'129 #·END·fix·for·'sshd_allow_only_protocol2'
  
130 ###############################################################################130 ###############################################################################
131 #·BEGIN·fix·(12·/·37)·for·'sshd_disable_empty_passwords'131 #·BEGIN·fix·(12·/·37)·for·'sshd_set_keepalive'
132 ###############################################################################132 ###############################################################################
133 (>&2·echo·"Remediating·rule·12/37:·'sshd_disable_empty_passwords'")133 (>&2·echo·"Remediating·rule·12/37:·'sshd_set_keepalive'")
134 #·FIX·FOR·THIS·RULE·IS·MISSING134 #·FIX·FOR·THIS·RULE·IS·MISSING
135 #·END·fix·for·'sshd_disable_empty_passwords'135 #·END·fix·for·'sshd_set_keepalive'
  
136 ###############################################################################136 ###############################################################################
137 #·BEGIN·fix·(13·/·37)·for·'sshd_set_idle_timeout'137 #·BEGIN·fix·(13·/·37)·for·'sshd_set_idle_timeout'
138 ###############################################################################138 ###############################################################################
139 (>&2·echo·"Remediating·rule·13/37:·'sshd_set_idle_timeout'")139 (>&2·echo·"Remediating·rule·13/37:·'sshd_set_idle_timeout'")
140 #·FIX·FOR·THIS·RULE·IS·MISSING140 #·FIX·FOR·THIS·RULE·IS·MISSING
141 #·END·fix·for·'sshd_set_idle_timeout'141 #·END·fix·for·'sshd_set_idle_timeout'
  
142 ###############################################################################142 ###############################################################################
143 #·BEGIN·fix·(14·/·37)·for·'sshd_set_keepalive'143 #·BEGIN·fix·(14·/·37)·for·'sshd_disable_empty_passwords'
144 ###############################################################################144 ###############################################################################
145 (>&2·echo·"Remediating·rule·14/37:·'sshd_set_keepalive'")145 (>&2·echo·"Remediating·rule·14/37:·'sshd_disable_empty_passwords'")
146 #·FIX·FOR·THIS·RULE·IS·MISSING146 #·FIX·FOR·THIS·RULE·IS·MISSING
147 #·END·fix·for·'sshd_set_keepalive'147 #·END·fix·for·'sshd_disable_empty_passwords'
  
148 ###############################################################################148 ###############################################################################
149 #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login'149 #·BEGIN·fix·(15·/·37)·for·'sshd_disable_root_login'
150 ###############################################################################150 ###############################################################################
151 (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'")151 (>&2·echo·"Remediating·rule·15/37:·'sshd_disable_root_login'")
152 #·FIX·FOR·THIS·RULE·IS·MISSING152 #·FIX·FOR·THIS·RULE·IS·MISSING
153 #·END·fix·for·'sshd_disable_root_login'153 #·END·fix·for·'sshd_disable_root_login'
Offset 160, 61 lines modifiedOffset 160, 61 lines modified
160 #·BEGIN·fix·(16·/·37)·for·'apt_conf_disallow_unauthenticated'160 #·BEGIN·fix·(16·/·37)·for·'apt_conf_disallow_unauthenticated'
161 ###############################################################################161 ###############################################################################
162 (>&2·echo·"Remediating·rule·16/37:·'apt_conf_disallow_unauthenticated'")162 (>&2·echo·"Remediating·rule·16/37:·'apt_conf_disallow_unauthenticated'")
163 #·FIX·FOR·THIS·RULE·IS·MISSING163 #·FIX·FOR·THIS·RULE·IS·MISSING
164 #·END·fix·for·'apt_conf_disallow_unauthenticated'164 #·END·fix·for·'apt_conf_disallow_unauthenticated'
  
165 ###############################################################################165 ###############################################################################
166 #·BEGIN·fix·(17·/·37)·for·'rsyslog_files_permissions'166 #·BEGIN·fix·(17·/·37)·for·'grub2_enable_iommu_force'
167 ###############################################################################167 ###############################################################################
168 (>&2·echo·"Remediating·rule·17/37:·'rsyslog_files_permissions'")168 (>&2·echo·"Remediating·rule·17/37:·'grub2_enable_iommu_force'")
169 #·FIX·FOR·THIS·RULE·IS·MISSING169 #·FIX·FOR·THIS·RULE·IS·MISSING
170 #·END·fix·for·'rsyslog_files_permissions'170 #·END·fix·for·'grub2_enable_iommu_force'
  
171 ###############################################################################171 ###############################################################################
172 #·BEGIN·fix·(18·/·37)·for·'rsyslog_files_ownership'172 #·BEGIN·fix·(18·/·37)·for·'sudo_remove_no_authenticate'
173 ###############################################################################173 ###############################################################################
174 (>&2·echo·"Remediating·rule·18/37:·'rsyslog_files_ownership'")174 (>&2·echo·"Remediating·rule·18/37:·'sudo_remove_no_authenticate'")
175 #·FIX·FOR·THIS·RULE·IS·MISSING175 #·FIX·FOR·THIS·RULE·IS·MISSING
176 #·END·fix·for·'rsyslog_files_ownership'176 #·END·fix·for·'sudo_remove_no_authenticate'
  
177 ###############################################################################177 ###############################################################################
178 #·BEGIN·fix·(19·/·37)·for·'rsyslog_files_groupownership'178 #·BEGIN·fix·(19·/·37)·for·'sudo_remove_nopasswd'
179 ###############################################################################179 ###############################################################################
180 (>&2·echo·"Remediating·rule·19/37:·'rsyslog_files_groupownership'")180 (>&2·echo·"Remediating·rule·19/37:·'sudo_remove_nopasswd'")
181 #·FIX·FOR·THIS·RULE·IS·MISSING181 #·FIX·FOR·THIS·RULE·IS·MISSING
182 #·END·fix·for·'rsyslog_files_groupownership'182 #·END·fix·for·'sudo_remove_nopasswd'
  
183 ###############################################################################183 ###############################################################################
184 #·BEGIN·fix·(20·/·37)·for·'ensure_logrotate_activated'184 #·BEGIN·fix·(20·/·37)·for·'rsyslog_files_permissions'
185 ###############################################################################185 ###############################################################################
186 (>&2·echo·"Remediating·rule·20/37:·'ensure_logrotate_activated'")186 (>&2·echo·"Remediating·rule·20/37:·'rsyslog_files_permissions'")
187 #·FIX·FOR·THIS·RULE·IS·MISSING187 #·FIX·FOR·THIS·RULE·IS·MISSING
188 #·END·fix·for·'ensure_logrotate_activated'188 #·END·fix·for·'rsyslog_files_permissions'
  
189 ###############################################################################189 ###############################################################################
190 #·BEGIN·fix·(21·/·37)·for·'grub2_enable_iommu_force'190 #·BEGIN·fix·(21·/·37)·for·'rsyslog_files_ownership'
191 ###############################################################################191 ###############################################################################
192 (>&2·echo·"Remediating·rule·21/37:·'grub2_enable_iommu_force'")192 (>&2·echo·"Remediating·rule·21/37:·'rsyslog_files_ownership'")
193 #·FIX·FOR·THIS·RULE·IS·MISSING193 #·FIX·FOR·THIS·RULE·IS·MISSING
194 #·END·fix·for·'grub2_enable_iommu_force'194 #·END·fix·for·'rsyslog_files_ownership'
  
Max diff block lines reached; 1307/9231 bytes (14.16%) of diff not shown.
3.03 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1604-role-anssi_np_nt28_minimal.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·11)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·11)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/11:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/11:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·11)·for·'package_telnetd-ssl_removed'47 #·BEGIN·fix·(3·/·11)·for·'package_telnetd-ssl_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/11:·'package_telnetd-ssl_removed'")49 (>&2·echo·"Remediating·rule·3/11:·'package_telnetd-ssl_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl50 #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 57, 25 lines modifiedOffset 57, 25 lines modified
57 #»      ···remediation·AFTER·testing·on·a·non-production57 #»      ···remediation·AFTER·testing·on·a·non-production
58 #»      ···system!58 #»      ···system!
  
59 apt-get·remove·--purge·telnetd-ssl59 apt-get·remove·--purge·telnetd-ssl
60 #·END·fix·for·'package_telnetd-ssl_removed'60 #·END·fix·for·'package_telnetd-ssl_removed'
  
61 ###############################################################################61 ###############################################################################
62 #·BEGIN·fix·(4·/·11)·for·'package_telnetd_removed'62 #·BEGIN·fix·(4·/·11)·for·'package_inetutils-telnetd_removed'
63 ###############################################################################63 ###############################################################################
64 (>&2·echo·"Remediating·rule·4/11:·'package_telnetd_removed'")64 (>&2·echo·"Remediating·rule·4/11:·'package_inetutils-telnetd_removed'")
65 #·CAUTION:·This·remediation·script·will·remove·telnetd65 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
66 #»      ···from·the·system,·and·may·remove·any·packages66 #»      ···from·the·system,·and·may·remove·any·packages
67 #»      ···that·depend·on·telnetd.·Execute·this67 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
68 #»      ···remediation·AFTER·testing·on·a·non-production68 #»      ···remediation·AFTER·testing·on·a·non-production
69 #»      ···system!69 #»      ···system!
  
70 apt-get·remove·--purge·telnetd70 apt-get·remove·--purge·inetutils-telnetd
71 #·END·fix·for·'package_telnetd_removed'71 #·END·fix·for·'package_inetutils-telnetd_removed'
  
72 ###############################################################################72 ###############################################################################
73 #·BEGIN·fix·(5·/·11)·for·'apt_conf_disallow_unauthenticated'73 #·BEGIN·fix·(5·/·11)·for·'apt_conf_disallow_unauthenticated'
74 ###############################################################################74 ###############################################################################
75 (>&2·echo·"Remediating·rule·5/11:·'apt_conf_disallow_unauthenticated'")75 (>&2·echo·"Remediating·rule·5/11:·'apt_conf_disallow_unauthenticated'")
76 #·FIX·FOR·THIS·RULE·IS·MISSING76 #·FIX·FOR·THIS·RULE·IS·MISSING
77 #·END·fix·for·'apt_conf_disallow_unauthenticated'77 #·END·fix·for·'apt_conf_disallow_unauthenticated'
8.67 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1604-role-anssi_np_nt28_restrictive.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·36)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/36:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'47 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")49 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·ntpdate50 #·CAUTION:·This·remediation·script·will·remove·ntpdate
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 70, 25 lines modifiedOffset 70, 25 lines modified
70 #»      ···remediation·AFTER·testing·on·a·non-production70 #»      ···remediation·AFTER·testing·on·a·non-production
71 #»      ···system!71 #»      ···system!
  
72 apt-get·remove·--purge·telnetd-ssl72 apt-get·remove·--purge·telnetd-ssl
73 #·END·fix·for·'package_telnetd-ssl_removed'73 #·END·fix·for·'package_telnetd-ssl_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed'75 #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'")77 (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'")
78 #·CAUTION:·This·remediation·script·will·remove·telnetd78 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
79 #»      ···from·the·system,·and·may·remove·any·packages79 #»      ···from·the·system,·and·may·remove·any·packages
80 #»      ···that·depend·on·telnetd.·Execute·this80 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
81 #»      ···remediation·AFTER·testing·on·a·non-production81 #»      ···remediation·AFTER·testing·on·a·non-production
82 #»      ···system!82 #»      ···system!
  
83 apt-get·remove·--purge·telnetd83 apt-get·remove·--purge·inetutils-telnetd
84 #·END·fix·for·'package_telnetd_removed'84 #·END·fix·for·'package_inetutils-telnetd_removed'
  
85 ###############################################################################85 ###############################################################################
86 #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed'86 #·BEGIN·fix·(6·/·36)·for·'package_ntp_installed'
87 ###############################################################################87 ###############################################################################
88 (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'")88 (>&2·echo·"Remediating·rule·6/36:·'package_ntp_installed'")
89 #·FIX·FOR·THIS·RULE·IS·MISSING89 #·FIX·FOR·THIS·RULE·IS·MISSING
90 #·END·fix·for·'package_ntp_installed'90 #·END·fix·for·'package_ntp_installed'
Offset 125, 33 lines modifiedOffset 125, 33 lines modified
125 #·BEGIN·fix·(11·/·36)·for·'sshd_allow_only_protocol2'125 #·BEGIN·fix·(11·/·36)·for·'sshd_allow_only_protocol2'
126 ###############################################################################126 ###############################################################################
127 (>&2·echo·"Remediating·rule·11/36:·'sshd_allow_only_protocol2'")127 (>&2·echo·"Remediating·rule·11/36:·'sshd_allow_only_protocol2'")
128 #·FIX·FOR·THIS·RULE·IS·MISSING128 #·FIX·FOR·THIS·RULE·IS·MISSING
129 #·END·fix·for·'sshd_allow_only_protocol2'129 #·END·fix·for·'sshd_allow_only_protocol2'
  
130 ###############################################################################130 ###############################################################################
131 #·BEGIN·fix·(12·/·36)·for·'sshd_disable_empty_passwords'131 #·BEGIN·fix·(12·/·36)·for·'sshd_set_keepalive'
132 ###############################################################################132 ###############################################################################
133 (>&2·echo·"Remediating·rule·12/36:·'sshd_disable_empty_passwords'")133 (>&2·echo·"Remediating·rule·12/36:·'sshd_set_keepalive'")
134 #·FIX·FOR·THIS·RULE·IS·MISSING134 #·FIX·FOR·THIS·RULE·IS·MISSING
135 #·END·fix·for·'sshd_disable_empty_passwords'135 #·END·fix·for·'sshd_set_keepalive'
  
136 ###############################################################################136 ###############################################################################
137 #·BEGIN·fix·(13·/·36)·for·'sshd_set_idle_timeout'137 #·BEGIN·fix·(13·/·36)·for·'sshd_set_idle_timeout'
138 ###############################################################################138 ###############################################################################
139 (>&2·echo·"Remediating·rule·13/36:·'sshd_set_idle_timeout'")139 (>&2·echo·"Remediating·rule·13/36:·'sshd_set_idle_timeout'")
140 #·FIX·FOR·THIS·RULE·IS·MISSING140 #·FIX·FOR·THIS·RULE·IS·MISSING
141 #·END·fix·for·'sshd_set_idle_timeout'141 #·END·fix·for·'sshd_set_idle_timeout'
  
142 ###############################################################################142 ###############################################################################
143 #·BEGIN·fix·(14·/·36)·for·'sshd_set_keepalive'143 #·BEGIN·fix·(14·/·36)·for·'sshd_disable_empty_passwords'
144 ###############################################################################144 ###############################################################################
145 (>&2·echo·"Remediating·rule·14/36:·'sshd_set_keepalive'")145 (>&2·echo·"Remediating·rule·14/36:·'sshd_disable_empty_passwords'")
146 #·FIX·FOR·THIS·RULE·IS·MISSING146 #·FIX·FOR·THIS·RULE·IS·MISSING
147 #·END·fix·for·'sshd_set_keepalive'147 #·END·fix·for·'sshd_disable_empty_passwords'
  
148 ###############################################################################148 ###############################################################################
149 #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login'149 #·BEGIN·fix·(15·/·36)·for·'sshd_disable_root_login'
150 ###############################################################################150 ###############################################################################
151 (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'")151 (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_root_login'")
152 #·FIX·FOR·THIS·RULE·IS·MISSING152 #·FIX·FOR·THIS·RULE·IS·MISSING
153 #·END·fix·for·'sshd_disable_root_login'153 #·END·fix·for·'sshd_disable_root_login'
Offset 160, 54 lines modifiedOffset 160, 54 lines modified
160 #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated'160 #·BEGIN·fix·(16·/·36)·for·'apt_conf_disallow_unauthenticated'
161 ###############################################################################161 ###############################################################################
162 (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'")162 (>&2·echo·"Remediating·rule·16/36:·'apt_conf_disallow_unauthenticated'")
163 #·FIX·FOR·THIS·RULE·IS·MISSING163 #·FIX·FOR·THIS·RULE·IS·MISSING
164 #·END·fix·for·'apt_conf_disallow_unauthenticated'164 #·END·fix·for·'apt_conf_disallow_unauthenticated'
  
165 ###############################################################################165 ###############################################################################
166 #·BEGIN·fix·(17·/·36)·for·'rsyslog_files_permissions'166 #·BEGIN·fix·(17·/·36)·for·'sudo_remove_no_authenticate'
167 ###############################################################################167 ###############################################################################
168 (>&2·echo·"Remediating·rule·17/36:·'rsyslog_files_permissions'")168 (>&2·echo·"Remediating·rule·17/36:·'sudo_remove_no_authenticate'")
169 #·FIX·FOR·THIS·RULE·IS·MISSING169 #·FIX·FOR·THIS·RULE·IS·MISSING
170 #·END·fix·for·'rsyslog_files_permissions'170 #·END·fix·for·'sudo_remove_no_authenticate'
  
171 ###############################################################################171 ###############################################################################
172 #·BEGIN·fix·(18·/·36)·for·'rsyslog_files_ownership'172 #·BEGIN·fix·(18·/·36)·for·'sudo_remove_nopasswd'
173 ###############################################################################173 ###############################################################################
174 (>&2·echo·"Remediating·rule·18/36:·'rsyslog_files_ownership'")174 (>&2·echo·"Remediating·rule·18/36:·'sudo_remove_nopasswd'")
175 #·FIX·FOR·THIS·RULE·IS·MISSING175 #·FIX·FOR·THIS·RULE·IS·MISSING
176 #·END·fix·for·'rsyslog_files_ownership'176 #·END·fix·for·'sudo_remove_nopasswd'
  
177 ###############################################################################177 ###############################################################################
178 #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_groupownership'178 #·BEGIN·fix·(19·/·36)·for·'rsyslog_files_permissions'
179 ###############################################################################179 ###############################################################################
180 (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_groupownership'")180 (>&2·echo·"Remediating·rule·19/36:·'rsyslog_files_permissions'")
181 #·FIX·FOR·THIS·RULE·IS·MISSING181 #·FIX·FOR·THIS·RULE·IS·MISSING
182 #·END·fix·for·'rsyslog_files_groupownership'182 #·END·fix·for·'rsyslog_files_permissions'
  
183 ###############################################################################183 ###############################################################################
184 #·BEGIN·fix·(20·/·36)·for·'ensure_logrotate_activated'184 #·BEGIN·fix·(20·/·36)·for·'rsyslog_files_ownership'
185 ###############################################################################185 ###############################################################################
186 (>&2·echo·"Remediating·rule·20/36:·'ensure_logrotate_activated'")186 (>&2·echo·"Remediating·rule·20/36:·'rsyslog_files_ownership'")
187 #·FIX·FOR·THIS·RULE·IS·MISSING187 #·FIX·FOR·THIS·RULE·IS·MISSING
188 #·END·fix·for·'ensure_logrotate_activated'188 #·END·fix·for·'rsyslog_files_ownership'
  
189 ###############################################################################189 ###############################################################################
190 #·BEGIN·fix·(21·/·36)·for·'sudo_remove_no_authenticate'190 #·BEGIN·fix·(21·/·36)·for·'rsyslog_files_groupownership'
191 ###############################################################################191 ###############################################################################
192 (>&2·echo·"Remediating·rule·21/36:·'sudo_remove_no_authenticate'")192 (>&2·echo·"Remediating·rule·21/36:·'rsyslog_files_groupownership'")
193 #·FIX·FOR·THIS·RULE·IS·MISSING193 #·FIX·FOR·THIS·RULE·IS·MISSING
194 #·END·fix·for·'sudo_remove_no_authenticate'194 #·END·fix·for·'rsyslog_files_groupownership'
  
Max diff block lines reached; 768/8713 bytes (8.81%) of diff not shown.
4.93 KB
./usr/share/scap-security-guide/bash/ssg-ubuntu1604-role-standard.sh
    
Offset 33, 25 lines modifiedOffset 33, 25 lines modified
33 #»      ···remediation·AFTER·testing·on·a·non-production33 #»      ···remediation·AFTER·testing·on·a·non-production
34 #»      ···system!34 #»      ···system!
  
35 apt-get·remove·--purge·nis35 apt-get·remove·--purge·nis
36 #·END·fix·for·'package_nis_removed'36 #·END·fix·for·'package_nis_removed'
  
37 ###############################################################################37 ###############################################################################
38 #·BEGIN·fix·(2·/·36)·for·'package_inetutils-telnetd_removed'38 #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed'
39 ###############################################################################39 ###############################################################################
40 (>&2·echo·"Remediating·rule·2/36:·'package_inetutils-telnetd_removed'")40 (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'")
41 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd41 #·CAUTION:·This·remediation·script·will·remove·telnetd
42 #»      ···from·the·system,·and·may·remove·any·packages42 #»      ···from·the·system,·and·may·remove·any·packages
43 #»      ···that·depend·on·inetutils-telnetd.·Execute·this43 #»      ···that·depend·on·telnetd.·Execute·this
44 #»      ···remediation·AFTER·testing·on·a·non-production44 #»      ···remediation·AFTER·testing·on·a·non-production
45 #»      ···system!45 #»      ···system!
  
46 apt-get·remove·--purge·inetutils-telnetd46 apt-get·remove·--purge·telnetd
47 #·END·fix·for·'package_inetutils-telnetd_removed'47 #·END·fix·for·'package_telnetd_removed'
  
48 ###############################################################################48 ###############################################################################
49 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'49 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'
50 ###############################################################################50 ###############################################################################
51 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")51 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")
52 #·CAUTION:·This·remediation·script·will·remove·ntpdate52 #·CAUTION:·This·remediation·script·will·remove·ntpdate
53 #»      ···from·the·system,·and·may·remove·any·packages53 #»      ···from·the·system,·and·may·remove·any·packages
Offset 72, 25 lines modifiedOffset 72, 25 lines modified
72 #»      ···remediation·AFTER·testing·on·a·non-production72 #»      ···remediation·AFTER·testing·on·a·non-production
73 #»      ···system!73 #»      ···system!
  
74 apt-get·remove·--purge·telnetd-ssl74 apt-get·remove·--purge·telnetd-ssl
75 #·END·fix·for·'package_telnetd-ssl_removed'75 #·END·fix·for·'package_telnetd-ssl_removed'
  
76 ###############################################################################76 ###############################################################################
77 #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed'77 #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed'
78 ###############################################################################78 ###############################################################################
79 (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'")79 (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'")
80 #·CAUTION:·This·remediation·script·will·remove·telnetd80 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
81 #»      ···from·the·system,·and·may·remove·any·packages81 #»      ···from·the·system,·and·may·remove·any·packages
82 #»      ···that·depend·on·telnetd.·Execute·this82 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
83 #»      ···remediation·AFTER·testing·on·a·non-production83 #»      ···remediation·AFTER·testing·on·a·non-production
84 #»      ···system!84 #»      ···system!
  
85 apt-get·remove·--purge·telnetd85 apt-get·remove·--purge·inetutils-telnetd
86 #·END·fix·for·'package_telnetd_removed'86 #·END·fix·for·'package_inetutils-telnetd_removed'
  
87 ###############################################################################87 ###############################################################################
88 #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled'88 #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled'
89 ###############################################################################89 ###############################################################################
90 (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'")90 (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'")
91 #·FIX·FOR·THIS·RULE·IS·MISSING91 #·FIX·FOR·THIS·RULE·IS·MISSING
92 #·END·fix·for·'service_cron_enabled'92 #·END·fix·for·'service_cron_enabled'
Offset 134, 33 lines modifiedOffset 134, 33 lines modified
134 #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2'134 #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2'
135 ###############################################################################135 ###############################################################################
136 (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'")136 (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'")
137 #·FIX·FOR·THIS·RULE·IS·MISSING137 #·FIX·FOR·THIS·RULE·IS·MISSING
138 #·END·fix·for·'sshd_allow_only_protocol2'138 #·END·fix·for·'sshd_allow_only_protocol2'
  
139 ###############################################################################139 ###############################################################################
140 #·BEGIN·fix·(13·/·36)·for·'sshd_disable_empty_passwords'140 #·BEGIN·fix·(13·/·36)·for·'sshd_set_keepalive'
141 ###############################################################################141 ###############################################################################
142 (>&2·echo·"Remediating·rule·13/36:·'sshd_disable_empty_passwords'")142 (>&2·echo·"Remediating·rule·13/36:·'sshd_set_keepalive'")
143 #·FIX·FOR·THIS·RULE·IS·MISSING143 #·FIX·FOR·THIS·RULE·IS·MISSING
144 #·END·fix·for·'sshd_disable_empty_passwords'144 #·END·fix·for·'sshd_set_keepalive'
  
145 ###############################################################################145 ###############################################################################
146 #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout'146 #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout'
147 ###############################################################################147 ###############################################################################
148 (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'")148 (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'")
149 #·FIX·FOR·THIS·RULE·IS·MISSING149 #·FIX·FOR·THIS·RULE·IS·MISSING
150 #·END·fix·for·'sshd_set_idle_timeout'150 #·END·fix·for·'sshd_set_idle_timeout'
  
151 ###############################################################################151 ###############################################################################
152 #·BEGIN·fix·(15·/·36)·for·'sshd_set_keepalive'152 #·BEGIN·fix·(15·/·36)·for·'sshd_disable_empty_passwords'
153 ###############################################################################153 ###############################################################################
154 (>&2·echo·"Remediating·rule·15/36:·'sshd_set_keepalive'")154 (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_empty_passwords'")
155 #·FIX·FOR·THIS·RULE·IS·MISSING155 #·FIX·FOR·THIS·RULE·IS·MISSING
156 #·END·fix·for·'sshd_set_keepalive'156 #·END·fix·for·'sshd_disable_empty_passwords'
  
157 ###############################################################################157 ###############################################################################
158 #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login'158 #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login'
159 ###############################################################################159 ###############################################################################
160 (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'")160 (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'")
161 #·FIX·FOR·THIS·RULE·IS·MISSING161 #·FIX·FOR·THIS·RULE·IS·MISSING
162 #·END·fix·for·'sshd_disable_root_login'162 #·END·fix·for·'sshd_disable_root_login'
1.79 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-cpe-oval.xml
1.67 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-cpe-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:35:32</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:36:55</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>CentOS·6</ns0:title>12 ········<ns0:title>CentOS·6</ns0:title>
13 ········<ns0:affected·family="unix"/>13 ········<ns0:affected·family="unix"/>
14 ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/>14 ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/>
165 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-ds.xml
165 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-ds.xml
    
Offset 18, 21 lines modifiedOffset 18, 21 lines modified
18 ····</ds:checklists>18 ····</ds:checklists>
19 ····<ds:checks>19 ····<ds:checks>
20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"/>20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"/>
21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"/>21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"/>
22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-cpe-oval.xml"/>22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1404-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1404-cpe-oval.xml"/>
23 ····</ds:checks>23 ····</ds:checks>
24 ··</ds:data-stream>24 ··</ds:data-stream>
25 ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"·timestamp="2020-07-11T15:39:09">25 ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-oval.xml"·timestamp="2020-07-12T18:46:22">
26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
27 ······<ns0:generator>27 ······<ns0:generator>
28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
30 ········<ns2:schema_version>5.11</ns2:schema_version>30 ········<ns2:schema_version>5.11</ns2:schema_version>
31 ········<ns2:timestamp>2020-07-12T03:35:32</ns2:timestamp>31 ········<ns2:timestamp>2020-07-12T04:36:55</ns2:timestamp>
32 ······</ns0:generator>32 ······</ns0:generator>
33 ······<ns0:definitions>33 ······<ns0:definitions>
34 ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1">34 ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1">
35 ··········<ns0:metadata>35 ··········<ns0:metadata>
36 ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title>36 ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title>
37 ············<ns0:affected·family="unix">37 ············<ns0:affected·family="unix">
38 ··············<ns0:platform>Ubuntu·1404</ns0:platform>38 ··············<ns0:platform>Ubuntu·1404</ns0:platform>
Offset 5544, 15 lines modifiedOffset 5544, 15 lines modified
5544 ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/>5544 ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/>
5545 ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/>5545 ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/>
5546 ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/>5546 ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/>
5547 ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/>5547 ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/>
5548 ······</ns0:variables>5548 ······</ns0:variables>
5549 ····</ns0:oval_definitions>5549 ····</ns0:oval_definitions>
5550 ··</ds:component>5550 ··</ds:component>
5551 ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"·timestamp="2020-07-11T15:39:09">5551 ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1404-ocil.xml"·timestamp="2020-07-12T18:46:22">
5552 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">5552 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">
5553 ······<ns0:generator>5553 ······<ns0:generator>
5554 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>5554 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
5555 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>5555 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>
5556 ········<ns0:schema_version>2.0</ns0:schema_version>5556 ········<ns0:schema_version>2.0</ns0:schema_version>
5557 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>5557 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
5558 ······</ns0:generator>5558 ······</ns0:generator>
Offset 5571, 38 lines modifiedOffset 5571, 50 lines modified
5571 ········</ns0:questionnaire>5571 ········</ns0:questionnaire>
5572 ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">5572 ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">
5573 ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>5573 ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>
5574 ··········<ns0:actions>5574 ··········<ns0:actions>
5575 ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>5575 ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>
5576 ··········</ns0:actions>5576 ··········</ns0:actions>
5577 ········</ns0:questionnaire>5577 ········</ns0:questionnaire>
5578 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">5578 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">
5579 ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>5579 ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>
5580 ··········<ns0:actions>5580 ··········<ns0:actions>
5581 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>5581 ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>
5582 ··········</ns0:actions>5582 ··········</ns0:actions>
5583 ········</ns0:questionnaire>5583 ········</ns0:questionnaire>
5584 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">5584 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
5585 ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>5585 ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>
5586 ··········<ns0:actions>5586 ··········<ns0:actions>
5587 ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>5587 ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>
5588 ··········</ns0:actions>5588 ··········</ns0:actions>
5589 ········</ns0:questionnaire>5589 ········</ns0:questionnaire>
5590 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">5590 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">
5591 ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>5591 ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>
5592 ··········<ns0:actions>5592 ··········<ns0:actions>
5593 ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>5593 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>
5594 ··········</ns0:actions>5594 ··········</ns0:actions>
5595 ········</ns0:questionnaire>5595 ········</ns0:questionnaire>
5596 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">5596 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">
5597 ··········<ns0:title>Disable·SSH·Root·Login</ns0:title>5597 ··········<ns0:title>Disable·SSH·Root·Login</ns0:title>
5598 ··········<ns0:actions>5598 ··········<ns0:actions>
5599 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>5599 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>
5600 ··········</ns0:actions>5600 ··········</ns0:actions>
5601 ········</ns0:questionnaire>5601 ········</ns0:questionnaire>
 5602 ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1">
 5603 ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title>
 5604 ··········<ns0:actions>
 5605 ············<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref>
 5606 ··········</ns0:actions>
 5607 ········</ns0:questionnaire>
 5608 ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
 5609 ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title>
 5610 ··········<ns0:actions>
 5611 ············<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref>
 5612 ··········</ns0:actions>
 5613 ········</ns0:questionnaire>
5602 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1">5614 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1">
5603 ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title>5615 ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title>
5604 ··········<ns0:actions>5616 ··········<ns0:actions>
5605 ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref>5617 ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref>
5606 ··········</ns0:actions>5618 ··········</ns0:actions>
5607 ········</ns0:questionnaire>5619 ········</ns0:questionnaire>
5608 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1">5620 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1">
Offset 5619, 26 lines modifiedOffset 5631, 26 lines modified
5619 ········</ns0:questionnaire>5631 ········</ns0:questionnaire>
5620 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">5632 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
5621 ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>5633 ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>
5622 ··········<ns0:actions>5634 ··········<ns0:actions>
5623 ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>5635 ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>
5624 ··········</ns0:actions>5636 ··········</ns0:actions>
5625 ········</ns0:questionnaire>5637 ········</ns0:questionnaire>
5626 ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> 
5627 ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> 
5628 ··········<ns0:actions> 
5629 ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> 
5630 ··········</ns0:actions> 
5631 ········</ns0:questionnaire> 
5632 ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">5638 ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">
5633 ··········<ns0:title>Enable·syslog-ng·Service</ns0:title>5639 ··········<ns0:title>Enable·syslog-ng·Service</ns0:title>
5634 ··········<ns0:actions>5640 ··········<ns0:actions>
5635 ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>5641 ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>
5636 ··········</ns0:actions>5642 ··········</ns0:actions>
5637 ········</ns0:questionnaire>5643 ········</ns0:questionnaire>
 5644 ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1">
 5645 ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title>
 5646 ··········<ns0:actions>
 5647 ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref>
 5648 ··········</ns0:actions>
 5649 ········</ns0:questionnaire>
5638 ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">5650 ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">
5639 ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>5651 ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>
5640 ··········<ns0:actions>5652 ··········<ns0:actions>
5641 ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>5653 ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>
5642 ··········</ns0:actions>5654 ··········</ns0:actions>
5643 ········</ns0:questionnaire>5655 ········</ns0:questionnaire>
5644 ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">5656 ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">
Offset 5649, 26 lines modifiedOffset 5661, 14 lines modified
5649 ········</ns0:questionnaire>5661 ········</ns0:questionnaire>
5650 ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">5662 ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
5651 ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title>5663 ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title>
5652 ··········<ns0:actions>5664 ··········<ns0:actions>
5653 ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref>5665 ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref>
Max diff block lines reached; 159432/168826 bytes (94.44%) of diff not shown.
21.8 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-ocil.xml
21.7 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-ocil.xml
    
Offset 21, 38 lines modifiedOffset 21, 50 lines modified
21 ····</ns0:questionnaire>21 ····</ns0:questionnaire>
22 ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">22 ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">
23 ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>23 ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>
24 ······<ns0:actions>24 ······<ns0:actions>
25 ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>25 ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>
26 ······</ns0:actions>26 ······</ns0:actions>
27 ····</ns0:questionnaire>27 ····</ns0:questionnaire>
28 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">28 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">
29 ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>29 ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>
30 ······<ns0:actions>30 ······<ns0:actions>
31 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>31 ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>
32 ······</ns0:actions>32 ······</ns0:actions>
33 ····</ns0:questionnaire>33 ····</ns0:questionnaire>
34 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">34 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
35 ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>35 ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>
36 ······<ns0:actions>36 ······<ns0:actions>
37 ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>37 ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>
38 ······</ns0:actions>38 ······</ns0:actions>
39 ····</ns0:questionnaire>39 ····</ns0:questionnaire>
40 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">40 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">
41 ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>41 ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>
42 ······<ns0:actions>42 ······<ns0:actions>
43 ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>43 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>
44 ······</ns0:actions>44 ······</ns0:actions>
45 ····</ns0:questionnaire>45 ····</ns0:questionnaire>
46 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">46 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">
47 ······<ns0:title>Disable·SSH·Root·Login</ns0:title>47 ······<ns0:title>Disable·SSH·Root·Login</ns0:title>
48 ······<ns0:actions>48 ······<ns0:actions>
49 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>49 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>
50 ······</ns0:actions>50 ······</ns0:actions>
51 ····</ns0:questionnaire>51 ····</ns0:questionnaire>
 52 ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1">
 53 ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title>
 54 ······<ns0:actions>
 55 ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref>
 56 ······</ns0:actions>
 57 ····</ns0:questionnaire>
 58 ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
 59 ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title>
 60 ······<ns0:actions>
 61 ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref>
 62 ······</ns0:actions>
 63 ····</ns0:questionnaire>
52 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1">64 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1">
53 ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title>65 ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title>
54 ······<ns0:actions>66 ······<ns0:actions>
55 ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref>67 ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref>
56 ······</ns0:actions>68 ······</ns0:actions>
57 ····</ns0:questionnaire>69 ····</ns0:questionnaire>
58 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1">70 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1">
Offset 69, 26 lines modifiedOffset 81, 26 lines modified
69 ····</ns0:questionnaire>81 ····</ns0:questionnaire>
70 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">82 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
71 ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>83 ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>
72 ······<ns0:actions>84 ······<ns0:actions>
73 ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>85 ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>
74 ······</ns0:actions>86 ······</ns0:actions>
75 ····</ns0:questionnaire>87 ····</ns0:questionnaire>
76 ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> 
77 ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> 
78 ······<ns0:actions> 
79 ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> 
80 ······</ns0:actions> 
81 ····</ns0:questionnaire> 
82 ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">88 ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">
83 ······<ns0:title>Enable·syslog-ng·Service</ns0:title>89 ······<ns0:title>Enable·syslog-ng·Service</ns0:title>
84 ······<ns0:actions>90 ······<ns0:actions>
85 ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>91 ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>
86 ······</ns0:actions>92 ······</ns0:actions>
87 ····</ns0:questionnaire>93 ····</ns0:questionnaire>
 94 ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1">
 95 ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title>
 96 ······<ns0:actions>
 97 ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref>
 98 ······</ns0:actions>
 99 ····</ns0:questionnaire>
88 ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">100 ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">
89 ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>101 ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>
90 ······<ns0:actions>102 ······<ns0:actions>
91 ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>103 ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>
92 ······</ns0:actions>104 ······</ns0:actions>
93 ····</ns0:questionnaire>105 ····</ns0:questionnaire>
94 ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">106 ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">
Offset 99, 26 lines modifiedOffset 111, 14 lines modified
99 ····</ns0:questionnaire>111 ····</ns0:questionnaire>
100 ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">112 ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
101 ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title>113 ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title>
102 ······<ns0:actions>114 ······<ns0:actions>
103 ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref>115 ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref>
104 ······</ns0:actions>116 ······</ns0:actions>
105 ····</ns0:questionnaire>117 ····</ns0:questionnaire>
106 ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> 
107 ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> 
108 ······<ns0:actions> 
109 ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> 
110 ······</ns0:actions> 
111 ····</ns0:questionnaire> 
112 ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> 
113 ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> 
114 ······<ns0:actions> 
115 ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> 
116 ······</ns0:actions> 
117 ····</ns0:questionnaire> 
118 ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1">118 ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1">
119 ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title>119 ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title>
120 ······<ns0:actions>120 ······<ns0:actions>
121 ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref>121 ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref>
122 ······</ns0:actions>122 ······</ns0:actions>
123 ····</ns0:questionnaire>123 ····</ns0:questionnaire>
124 ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1">124 ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1">
Offset 233, 15 lines modifiedOffset 233, 15 lines modified
233 ······<ns0:when_true>233 ······<ns0:when_true>
234 ········<ns0:result>PASS</ns0:result>234 ········<ns0:result>PASS</ns0:result>
235 ······</ns0:when_true>235 ······</ns0:when_true>
236 ······<ns0:when_false>236 ······<ns0:when_false>
237 ········<ns0:result>FAIL</ns0:result>237 ········<ns0:result>FAIL</ns0:result>
238 ······</ns0:when_false>238 ······</ns0:when_false>
239 ····</ns0:boolean_question_test_action>239 ····</ns0:boolean_question_test_action>
240 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_disable_empty_passwords_action:testaction:1"·question_ref="ocil:ssg-sshd_disable_empty_passwords_question:question:1">240 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_set_keepalive_action:testaction:1"·question_ref="ocil:ssg-sshd_set_keepalive_question:question:1">
241 ······<ns0:when_true>241 ······<ns0:when_true>
242 ········<ns0:result>PASS</ns0:result>242 ········<ns0:result>PASS</ns0:result>
243 ······</ns0:when_true>243 ······</ns0:when_true>
244 ······<ns0:when_false>244 ······<ns0:when_false>
245 ········<ns0:result>FAIL</ns0:result>245 ········<ns0:result>FAIL</ns0:result>
246 ······</ns0:when_false>246 ······</ns0:when_false>
247 ····</ns0:boolean_question_test_action>247 ····</ns0:boolean_question_test_action>
Offset 249, 15 lines modifiedOffset 249, 15 lines modified
Max diff block lines reached; 14766/22089 bytes (66.85%) of diff not shown.
1.8 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-oval.xml
1.69 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:35:32</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:36:55</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1">10 ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title>12 ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:platform>Ubuntu·1404</ns0:platform>14 ··········<ns0:platform>Ubuntu·1404</ns0:platform>
130 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-xccdf.xml
130 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1404-xccdf.xml
    
Offset 160, 60 lines modifiedOffset 160, 14 lines modified
160 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>160 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>
161 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>161 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>
163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>
164 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>164 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
165 ··</metadata>165 ··</metadata>
166 ··<model·system="urn:xccdf:scoring:default"/>166 ··<model·system="urn:xccdf:scoring:default"/>
167 ··<Profile·id="anssi_np_nt28_restrictive"> 
168 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> 
169 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> 
170 ····<select·idref="sudo_remove_nopasswd"·selected="true"/> 
171 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> 
172 ····<select·idref="package_telnetd_removed"·selected="true"/> 
173 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> 
174 ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> 
175 ····<select·idref="package_nis_removed"·selected="true"/> 
176 ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> 
177 ····<select·idref="file_permissions_etc_shadow"·selected="true"/> 
178 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> 
179 ····<select·idref="file_permissions_etc_passwd"·selected="true"/> 
180 ····<select·idref="file_permissions_etc_group"·selected="true"/> 
181 ····<select·idref="package_ntp_installed"·selected="true"/> 
182 ····<select·idref="package_ntpdate_removed"·selected="true"/> 
183 ····<select·idref="sshd_set_idle_timeout"·selected="true"/> 
184 ····<select·idref="sshd_disable_root_login"·selected="true"/> 
185 ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> 
186 ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> 
187 ····<select·idref="sshd_set_keepalive"·selected="true"/> 
188 ····<select·idref="rsyslog_files_ownership"·selected="true"/> 
189 ····<select·idref="rsyslog_files_groupownership"·selected="true"/> 
190 ····<select·idref="rsyslog_files_permissions"·selected="true"/> 
191 ····<select·idref="rsyslog_remote_loghost"·selected="false"/> 
192 ····<select·idref="ensure_logrotate_activated"·selected="true"/> 
193 ····<select·idref="file_permissions_systemmap"·selected="true"/> 
194 ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> 
195 ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> 
196 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> 
197 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> 
198 ····<select·idref="partition_for_tmp"·selected="true"/> 
199 ····<select·idref="partition_for_var"·selected="true"/> 
200 ····<select·idref="partition_for_var_log"·selected="true"/> 
201 ····<select·idref="partition_for_var_log_audit"·selected="true"/> 
202 ····<select·idref="partition_for_home"·selected="true"/> 
203 ····<select·idref="package_auditd_installed"·selected="true"/> 
204 ····<select·idref="package_cron_installed"·selected="true"/> 
205 ····<select·idref="service_auditd_enabled"·selected="true"/> 
206 ····<select·idref="service_ntpd_enabled"·selected="true"/> 
207 ····<select·idref="remediation_functions"·selected="false"/> 
208 ····<select·idref="rsyslog_sending_messages"·selected="false"/> 
209 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> 
210 ····<select·idref="hw-install"·selected="false"/> 
211 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> 
212 ··</Profile> 
213 ··<Profile·id="anssi_np_nt28_average">167 ··<Profile·id="anssi_np_nt28_average">
214 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title>168 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title>
215 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description>169 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description>
216 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>170 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>
217 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>171 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>
218 ····<select·idref="package_telnetd_removed"·selected="true"/>172 ····<select·idref="package_telnetd_removed"·selected="true"/>
219 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>173 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>
Offset 243, 22 lines modifiedOffset 197, 22 lines modified
243 ····<select·idref="ensure_logrotate_activated"·selected="true"/>197 ····<select·idref="ensure_logrotate_activated"·selected="true"/>
244 ····<select·idref="file_permissions_systemmap"·selected="true"/>198 ····<select·idref="file_permissions_systemmap"·selected="true"/>
245 ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/>199 ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/>
246 ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/>200 ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/>
247 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/>201 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/>
248 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/>202 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/>
249 ····<select·idref="remediation_functions"·selected="false"/>203 ····<select·idref="remediation_functions"·selected="false"/>
 204 ····<select·idref="hw-install"·selected="false"/>
250 ····<select·idref="rsyslog_sending_messages"·selected="false"/>205 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
251 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>206 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>
252 ····<select·idref="hw-install"·selected="false"/> 
253 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>207 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>
254 ··</Profile>208 ··</Profile>
255 ··<Profile·id="anssi_np_nt28_high">209 ··<Profile·id="anssi_np_nt28_restrictive">
256 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</title>210 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title>
257 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·storing·sensitive·informations·that·can·be·accessible·from·unauthenticated·or·uncontroled·networks.</description>211 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description>
258 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>212 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>
259 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>213 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>
260 ····<select·idref="package_telnetd_removed"·selected="true"/>214 ····<select·idref="package_telnetd_removed"·selected="true"/>
261 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>215 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>
262 ····<select·idref="package_telnetd-ssl_removed"·selected="true"/>216 ····<select·idref="package_telnetd-ssl_removed"·selected="true"/>
263 ····<select·idref="package_nis_removed"·selected="true"/>217 ····<select·idref="package_nis_removed"·selected="true"/>
264 ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/>218 ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/>
Offset 288, 16 lines modifiedOffset 242, 16 lines modified
288 ····<select·idref="partition_for_var_log"·selected="true"/>242 ····<select·idref="partition_for_var_log"·selected="true"/>
289 ····<select·idref="partition_for_var_log_audit"·selected="true"/>243 ····<select·idref="partition_for_var_log_audit"·selected="true"/>
290 ····<select·idref="partition_for_home"·selected="true"/>244 ····<select·idref="partition_for_home"·selected="true"/>
291 ····<select·idref="package_auditd_installed"·selected="true"/>245 ····<select·idref="package_auditd_installed"·selected="true"/>
292 ····<select·idref="package_cron_installed"·selected="true"/>246 ····<select·idref="package_cron_installed"·selected="true"/>
293 ····<select·idref="service_auditd_enabled"·selected="true"/>247 ····<select·idref="service_auditd_enabled"·selected="true"/>
294 ····<select·idref="service_ntpd_enabled"·selected="true"/>248 ····<select·idref="service_ntpd_enabled"·selected="true"/>
295 ····<select·idref="grub2_enable_iommu_force"·selected="true"/> 
296 ····<select·idref="remediation_functions"·selected="false"/>249 ····<select·idref="remediation_functions"·selected="false"/>
 250 ····<select·idref="hw-install"·selected="false"/>
297 ····<select·idref="rsyslog_sending_messages"·selected="false"/>251 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
298 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>252 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>
299 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>253 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>
300 ··</Profile>254 ··</Profile>
301 ··<Profile·id="anssi_np_nt28_minimal">255 ··<Profile·id="anssi_np_nt28_minimal">
302 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title>256 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title>
303 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description>257 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description>
Offset 312, 28 lines modifiedOffset 266, 74 lines modified
312 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/>266 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/>
313 ····<select·idref="file_permissions_etc_passwd"·selected="true"/>267 ····<select·idref="file_permissions_etc_passwd"·selected="true"/>
314 ····<select·idref="file_permissions_etc_group"·selected="true"/>268 ····<select·idref="file_permissions_etc_group"·selected="true"/>
315 ····<select·idref="remediation_functions"·selected="false"/>269 ····<select·idref="remediation_functions"·selected="false"/>
316 ····<select·idref="basics"·selected="false"/>270 ····<select·idref="basics"·selected="false"/>
317 ····<select·idref="ssh"·selected="false"/>271 ····<select·idref="ssh"·selected="false"/>
318 ····<select·idref="ssh_server"·selected="false"/>272 ····<select·idref="ssh_server"·selected="false"/>
 273 ····<select·idref="hw-install"·selected="false"/>
319 ····<select·idref="logging"·selected="false"/>274 ····<select·idref="logging"·selected="false"/>
320 ····<select·idref="rsyslog_sending_messages"·selected="false"/>275 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
321 ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/>276 ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/>
322 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>277 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>
323 ····<select·idref="log_rotation"·selected="false"/>278 ····<select·idref="log_rotation"·selected="false"/>
324 ····<select·idref="hw-install"·selected="false"/> 
325 ····<select·idref="fs-part"·selected="false"/>279 ····<select·idref="fs-part"·selected="false"/>
326 ····<select·idref="installation-storage-partitioning"·selected="false"/>280 ····<select·idref="installation-storage-partitioning"·selected="false"/>
327 ····<select·idref="fs-restrict"·selected="false"/>281 ····<select·idref="fs-restrict"·selected="false"/>
328 ····<select·idref="permission_important_state_files"·selected="false"/>282 ····<select·idref="permission_important_state_files"·selected="false"/>
329 ····<select·idref="restriction"·selected="false"/>283 ····<select·idref="restriction"·selected="false"/>
330 ····<select·idref="coredumps"·selected="false"/>284 ····<select·idref="coredumps"·selected="false"/>
331 ····<select·idref="enable_execshield_settings"·selected="false"/>285 ····<select·idref="enable_execshield_settings"·selected="false"/>
332 ··</Profile>286 ··</Profile>
 287 ··<Profile·id="anssi_np_nt28_high">
 288 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</title>
Max diff block lines reached; 121028/133362 bytes (90.75%) of diff not shown.
1.79 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-oval.xml
1.67 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:35:39</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:36:59</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>CentOS·6</ns0:title>12 ········<ns0:title>CentOS·6</ns0:title>
13 ········<ns0:affected·family="unix"/>13 ········<ns0:affected·family="unix"/>
14 ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/>14 ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/>
165 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml
165 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml
    
Offset 18, 21 lines modifiedOffset 18, 21 lines modified
18 ····</ds:checklists>18 ····</ds:checklists>
19 ····<ds:checks>19 ····<ds:checks>
20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"/>20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"/>
21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"/>21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"/>
22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-cpe-oval.xml"/>22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-ubuntu1604-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-ubuntu1604-cpe-oval.xml"/>
23 ····</ds:checks>23 ····</ds:checks>
24 ··</ds:data-stream>24 ··</ds:data-stream>
25 ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"·timestamp="2020-07-11T15:39:10">25 ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-oval.xml"·timestamp="2020-07-12T18:46:28">
26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
27 ······<ns0:generator>27 ······<ns0:generator>
28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
30 ········<ns2:schema_version>5.11</ns2:schema_version>30 ········<ns2:schema_version>5.11</ns2:schema_version>
31 ········<ns2:timestamp>2020-07-12T03:35:39</ns2:timestamp>31 ········<ns2:timestamp>2020-07-12T04:36:59</ns2:timestamp>
32 ······</ns0:generator>32 ······</ns0:generator>
33 ······<ns0:definitions>33 ······<ns0:definitions>
34 ········<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1">34 ········<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1">
35 ··········<ns0:metadata>35 ··········<ns0:metadata>
36 ············<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title>36 ············<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title>
37 ············<ns0:affected·family="unix">37 ············<ns0:affected·family="unix">
38 ··············<ns0:platform>Ubuntu·1404</ns0:platform>38 ··············<ns0:platform>Ubuntu·1404</ns0:platform>
Offset 5548, 15 lines modifiedOffset 5548, 15 lines modified
5548 ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/>5548 ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/>
5549 ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/>5549 ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/>
5550 ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/>5550 ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/>
5551 ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/>5551 ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/>
5552 ······</ns0:variables>5552 ······</ns0:variables>
5553 ····</ns0:oval_definitions>5553 ····</ns0:oval_definitions>
5554 ··</ds:component>5554 ··</ds:component>
5555 ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"·timestamp="2020-07-11T15:39:10">5555 ··<ds:component·id="scap_org.open-scap_comp_ssg-ubuntu1604-ocil.xml"·timestamp="2020-07-12T18:46:28">
5556 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">5556 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">
5557 ······<ns0:generator>5557 ······<ns0:generator>
5558 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>5558 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
5559 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>5559 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>
5560 ········<ns0:schema_version>2.0</ns0:schema_version>5560 ········<ns0:schema_version>2.0</ns0:schema_version>
5561 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>5561 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
5562 ······</ns0:generator>5562 ······</ns0:generator>
Offset 5575, 38 lines modifiedOffset 5575, 50 lines modified
5575 ········</ns0:questionnaire>5575 ········</ns0:questionnaire>
5576 ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">5576 ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">
5577 ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>5577 ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>
5578 ··········<ns0:actions>5578 ··········<ns0:actions>
5579 ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>5579 ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>
5580 ··········</ns0:actions>5580 ··········</ns0:actions>
5581 ········</ns0:questionnaire>5581 ········</ns0:questionnaire>
5582 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">5582 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">
5583 ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>5583 ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>
5584 ··········<ns0:actions>5584 ··········<ns0:actions>
5585 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>5585 ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>
5586 ··········</ns0:actions>5586 ··········</ns0:actions>
5587 ········</ns0:questionnaire>5587 ········</ns0:questionnaire>
5588 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">5588 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
5589 ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>5589 ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>
5590 ··········<ns0:actions>5590 ··········<ns0:actions>
5591 ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>5591 ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>
5592 ··········</ns0:actions>5592 ··········</ns0:actions>
5593 ········</ns0:questionnaire>5593 ········</ns0:questionnaire>
5594 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">5594 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">
5595 ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>5595 ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>
5596 ··········<ns0:actions>5596 ··········<ns0:actions>
5597 ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>5597 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>
5598 ··········</ns0:actions>5598 ··········</ns0:actions>
5599 ········</ns0:questionnaire>5599 ········</ns0:questionnaire>
5600 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">5600 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">
5601 ··········<ns0:title>Disable·SSH·Root·Login</ns0:title>5601 ··········<ns0:title>Disable·SSH·Root·Login</ns0:title>
5602 ··········<ns0:actions>5602 ··········<ns0:actions>
5603 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>5603 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>
5604 ··········</ns0:actions>5604 ··········</ns0:actions>
5605 ········</ns0:questionnaire>5605 ········</ns0:questionnaire>
 5606 ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1">
 5607 ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title>
 5608 ··········<ns0:actions>
 5609 ············<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref>
 5610 ··········</ns0:actions>
 5611 ········</ns0:questionnaire>
 5612 ········<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
 5613 ··········<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title>
 5614 ··········<ns0:actions>
 5615 ············<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref>
 5616 ··········</ns0:actions>
 5617 ········</ns0:questionnaire>
5606 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1">5618 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1">
5607 ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title>5619 ··········<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title>
5608 ··········<ns0:actions>5620 ··········<ns0:actions>
5609 ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref>5621 ············<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref>
5610 ··········</ns0:actions>5622 ··········</ns0:actions>
5611 ········</ns0:questionnaire>5623 ········</ns0:questionnaire>
5612 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1">5624 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1">
Offset 5623, 26 lines modifiedOffset 5635, 26 lines modified
5623 ········</ns0:questionnaire>5635 ········</ns0:questionnaire>
5624 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">5636 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
5625 ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>5637 ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>
5626 ··········<ns0:actions>5638 ··········<ns0:actions>
5627 ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>5639 ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>
5628 ··········</ns0:actions>5640 ··········</ns0:actions>
5629 ········</ns0:questionnaire>5641 ········</ns0:questionnaire>
5630 ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> 
5631 ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> 
5632 ··········<ns0:actions> 
5633 ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> 
5634 ··········</ns0:actions> 
5635 ········</ns0:questionnaire> 
5636 ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">5642 ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">
5637 ··········<ns0:title>Enable·syslog-ng·Service</ns0:title>5643 ··········<ns0:title>Enable·syslog-ng·Service</ns0:title>
5638 ··········<ns0:actions>5644 ··········<ns0:actions>
5639 ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>5645 ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>
5640 ··········</ns0:actions>5646 ··········</ns0:actions>
5641 ········</ns0:questionnaire>5647 ········</ns0:questionnaire>
 5648 ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1">
 5649 ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title>
 5650 ··········<ns0:actions>
 5651 ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref>
 5652 ··········</ns0:actions>
 5653 ········</ns0:questionnaire>
5642 ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">5654 ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">
5643 ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>5655 ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>
5644 ··········<ns0:actions>5656 ··········<ns0:actions>
5645 ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>5657 ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>
5646 ··········</ns0:actions>5658 ··········</ns0:actions>
5647 ········</ns0:questionnaire>5659 ········</ns0:questionnaire>
5648 ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">5660 ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">
Offset 5653, 26 lines modifiedOffset 5665, 14 lines modified
5653 ········</ns0:questionnaire>5665 ········</ns0:questionnaire>
5654 ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">5666 ········<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
5655 ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title>5667 ··········<ns0:title>Ensure·rsyslog·is·Installed</ns0:title>
5656 ··········<ns0:actions>5668 ··········<ns0:actions>
5657 ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref>5669 ············<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref>
Max diff block lines reached; 159451/168815 bytes (94.45%) of diff not shown.
21.8 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml
21.7 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml
    
Offset 21, 38 lines modifiedOffset 21, 50 lines modified
21 ····</ns0:questionnaire>21 ····</ns0:questionnaire>
22 ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">22 ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">
23 ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>23 ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>
24 ······<ns0:actions>24 ······<ns0:actions>
25 ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>25 ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>
26 ······</ns0:actions>26 ······</ns0:actions>
27 ····</ns0:questionnaire>27 ····</ns0:questionnaire>
28 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">28 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">
29 ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>29 ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>
30 ······<ns0:actions>30 ······<ns0:actions>
31 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>31 ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>
32 ······</ns0:actions>32 ······</ns0:actions>
33 ····</ns0:questionnaire>33 ····</ns0:questionnaire>
34 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">34 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
35 ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>35 ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>
36 ······<ns0:actions>36 ······<ns0:actions>
37 ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>37 ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>
38 ······</ns0:actions>38 ······</ns0:actions>
39 ····</ns0:questionnaire>39 ····</ns0:questionnaire>
40 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">40 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">
41 ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>41 ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>
42 ······<ns0:actions>42 ······<ns0:actions>
43 ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>43 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>
44 ······</ns0:actions>44 ······</ns0:actions>
45 ····</ns0:questionnaire>45 ····</ns0:questionnaire>
46 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">46 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">
47 ······<ns0:title>Disable·SSH·Root·Login</ns0:title>47 ······<ns0:title>Disable·SSH·Root·Login</ns0:title>
48 ······<ns0:actions>48 ······<ns0:actions>
49 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>49 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>
50 ······</ns0:actions>50 ······</ns0:actions>
51 ····</ns0:questionnaire>51 ····</ns0:questionnaire>
 52 ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1">
 53 ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title>
 54 ······<ns0:actions>
 55 ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref>
 56 ······</ns0:actions>
 57 ····</ns0:questionnaire>
 58 ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
 59 ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title>
 60 ······<ns0:actions>
 61 ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref>
 62 ······</ns0:actions>
 63 ····</ns0:questionnaire>
52 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1">64 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1">
53 ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title>65 ······<ns0:title>Ensure·Logs·Sent·To·Remote·Host</ns0:title>
54 ······<ns0:actions>66 ······<ns0:actions>
55 ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref>67 ········<ns0:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ns0:test_action_ref>
56 ······</ns0:actions>68 ······</ns0:actions>
57 ····</ns0:questionnaire>69 ····</ns0:questionnaire>
58 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1">70 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1">
Offset 69, 26 lines modifiedOffset 81, 26 lines modified
69 ····</ns0:questionnaire>81 ····</ns0:questionnaire>
70 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">82 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
71 ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>83 ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>
72 ······<ns0:actions>84 ······<ns0:actions>
73 ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>85 ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>
74 ······</ns0:actions>86 ······</ns0:actions>
75 ····</ns0:questionnaire>87 ····</ns0:questionnaire>
76 ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> 
77 ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> 
78 ······<ns0:actions> 
79 ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> 
80 ······</ns0:actions> 
81 ····</ns0:questionnaire> 
82 ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">88 ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">
83 ······<ns0:title>Enable·syslog-ng·Service</ns0:title>89 ······<ns0:title>Enable·syslog-ng·Service</ns0:title>
84 ······<ns0:actions>90 ······<ns0:actions>
85 ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>91 ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>
86 ······</ns0:actions>92 ······</ns0:actions>
87 ····</ns0:questionnaire>93 ····</ns0:questionnaire>
 94 ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1">
 95 ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title>
 96 ······<ns0:actions>
 97 ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref>
 98 ······</ns0:actions>
 99 ····</ns0:questionnaire>
88 ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">100 ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">
89 ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>101 ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>
90 ······<ns0:actions>102 ······<ns0:actions>
91 ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>103 ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>
92 ······</ns0:actions>104 ······</ns0:actions>
93 ····</ns0:questionnaire>105 ····</ns0:questionnaire>
94 ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">106 ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">
Offset 99, 26 lines modifiedOffset 111, 14 lines modified
99 ····</ns0:questionnaire>111 ····</ns0:questionnaire>
100 ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">112 ····<ns0:questionnaire·id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
101 ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title>113 ······<ns0:title>Ensure·rsyslog·is·Installed</ns0:title>
102 ······<ns0:actions>114 ······<ns0:actions>
103 ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref>115 ········<ns0:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ns0:test_action_ref>
104 ······</ns0:actions>116 ······</ns0:actions>
105 ····</ns0:questionnaire>117 ····</ns0:questionnaire>
106 ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"> 
107 ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·!authenticate</ns0:title> 
108 ······<ns0:actions> 
109 ········<ns0:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ns0:test_action_ref> 
110 ······</ns0:actions> 
111 ····</ns0:questionnaire> 
112 ····<ns0:questionnaire·id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"> 
113 ······<ns0:title>Ensure·Users·Re-Authenticate·for·Privilege·Escalation·-·sudo·NOPASSWD</ns0:title> 
114 ······<ns0:actions> 
115 ········<ns0:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ns0:test_action_ref> 
116 ······</ns0:actions> 
117 ····</ns0:questionnaire> 
118 ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1">118 ····<ns0:questionnaire·id="ocil:ssg-partition_for_srv_ocil:questionnaire:1">
119 ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title>119 ······<ns0:title>Ensure·/srv·Located·On·Separate·Partition</ns0:title>
120 ······<ns0:actions>120 ······<ns0:actions>
121 ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref>121 ········<ns0:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ns0:test_action_ref>
122 ······</ns0:actions>122 ······</ns0:actions>
123 ····</ns0:questionnaire>123 ····</ns0:questionnaire>
124 ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1">124 ····<ns0:questionnaire·id="ocil:ssg-partition_for_home_ocil:questionnaire:1">
Offset 233, 15 lines modifiedOffset 233, 15 lines modified
233 ······<ns0:when_true>233 ······<ns0:when_true>
234 ········<ns0:result>PASS</ns0:result>234 ········<ns0:result>PASS</ns0:result>
235 ······</ns0:when_true>235 ······</ns0:when_true>
236 ······<ns0:when_false>236 ······<ns0:when_false>
237 ········<ns0:result>FAIL</ns0:result>237 ········<ns0:result>FAIL</ns0:result>
238 ······</ns0:when_false>238 ······</ns0:when_false>
239 ····</ns0:boolean_question_test_action>239 ····</ns0:boolean_question_test_action>
240 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_disable_empty_passwords_action:testaction:1"·question_ref="ocil:ssg-sshd_disable_empty_passwords_question:question:1">240 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_set_keepalive_action:testaction:1"·question_ref="ocil:ssg-sshd_set_keepalive_question:question:1">
241 ······<ns0:when_true>241 ······<ns0:when_true>
242 ········<ns0:result>PASS</ns0:result>242 ········<ns0:result>PASS</ns0:result>
243 ······</ns0:when_true>243 ······</ns0:when_true>
244 ······<ns0:when_false>244 ······<ns0:when_false>
245 ········<ns0:result>FAIL</ns0:result>245 ········<ns0:result>FAIL</ns0:result>
246 ······</ns0:when_false>246 ······</ns0:when_false>
247 ····</ns0:boolean_question_test_action>247 ····</ns0:boolean_question_test_action>
Offset 249, 15 lines modifiedOffset 249, 15 lines modified
Max diff block lines reached; 14766/22089 bytes (66.85%) of diff not shown.
1.77 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml
1.66 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:35:39</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:36:59</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1">10 ····<ns0:definition·class="compliance"·id="oval:ssg-grub2_enable_iommu_force:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title>12 ········<ns0:title>Force·IOMMU·usage·in·GRUB2</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:platform>Ubuntu·1404</ns0:platform>14 ··········<ns0:platform>Ubuntu·1404</ns0:platform>
130 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml
130 KB
./usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml
    
Offset 160, 60 lines modifiedOffset 160, 14 lines modified
160 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>160 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>
161 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>161 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>
163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>
164 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>164 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
165 ··</metadata>165 ··</metadata>
166 ··<model·system="urn:xccdf:scoring:default"/>166 ··<model·system="urn:xccdf:scoring:default"/>
167 ··<Profile·id="anssi_np_nt28_restrictive"> 
168 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> 
169 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> 
170 ····<select·idref="sudo_remove_nopasswd"·selected="true"/> 
171 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> 
172 ····<select·idref="package_telnetd_removed"·selected="true"/> 
173 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> 
174 ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> 
175 ····<select·idref="package_nis_removed"·selected="true"/> 
176 ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> 
177 ····<select·idref="file_permissions_etc_shadow"·selected="true"/> 
178 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> 
179 ····<select·idref="file_permissions_etc_passwd"·selected="true"/> 
180 ····<select·idref="file_permissions_etc_group"·selected="true"/> 
181 ····<select·idref="package_ntp_installed"·selected="true"/> 
182 ····<select·idref="package_ntpdate_removed"·selected="true"/> 
183 ····<select·idref="sshd_set_idle_timeout"·selected="true"/> 
184 ····<select·idref="sshd_disable_root_login"·selected="true"/> 
185 ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> 
186 ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> 
187 ····<select·idref="sshd_set_keepalive"·selected="true"/> 
188 ····<select·idref="rsyslog_files_ownership"·selected="true"/> 
189 ····<select·idref="rsyslog_files_groupownership"·selected="true"/> 
190 ····<select·idref="rsyslog_files_permissions"·selected="true"/> 
191 ····<select·idref="rsyslog_remote_loghost"·selected="false"/> 
192 ····<select·idref="ensure_logrotate_activated"·selected="true"/> 
193 ····<select·idref="file_permissions_boot_system_map"·selected="true"/> 
194 ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> 
195 ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> 
196 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> 
197 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> 
198 ····<select·idref="partition_for_tmp"·selected="true"/> 
199 ····<select·idref="partition_for_var"·selected="true"/> 
200 ····<select·idref="partition_for_var_log"·selected="true"/> 
201 ····<select·idref="partition_for_var_log_audit"·selected="true"/> 
202 ····<select·idref="partition_for_home"·selected="true"/> 
203 ····<select·idref="package_auditd_installed"·selected="true"/> 
204 ····<select·idref="package_cron_installed"·selected="true"/> 
205 ····<select·idref="service_auditd_enabled"·selected="true"/> 
206 ····<select·idref="service_ntpd_enabled"·selected="true"/> 
207 ····<select·idref="remediation_functions"·selected="false"/> 
208 ····<select·idref="rsyslog_sending_messages"·selected="false"/> 
209 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/> 
210 ····<select·idref="hw-install"·selected="false"/> 
211 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> 
212 ··</Profile> 
213 ··<Profile·id="anssi_np_nt28_average">167 ··<Profile·id="anssi_np_nt28_average">
214 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title>168 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title>
215 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description>169 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description>
216 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>170 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>
217 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>171 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>
218 ····<select·idref="package_telnetd_removed"·selected="true"/>172 ····<select·idref="package_telnetd_removed"·selected="true"/>
219 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>173 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>
Offset 243, 22 lines modifiedOffset 197, 22 lines modified
243 ····<select·idref="ensure_logrotate_activated"·selected="true"/>197 ····<select·idref="ensure_logrotate_activated"·selected="true"/>
244 ····<select·idref="file_permissions_boot_system_map"·selected="true"/>198 ····<select·idref="file_permissions_boot_system_map"·selected="true"/>
245 ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/>199 ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/>
246 ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/>200 ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/>
247 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/>201 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/>
248 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/>202 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/>
249 ····<select·idref="remediation_functions"·selected="false"/>203 ····<select·idref="remediation_functions"·selected="false"/>
 204 ····<select·idref="hw-install"·selected="false"/>
250 ····<select·idref="rsyslog_sending_messages"·selected="false"/>205 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
251 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>206 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>
252 ····<select·idref="hw-install"·selected="false"/> 
253 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>207 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>
254 ··</Profile>208 ··</Profile>
255 ··<Profile·id="anssi_np_nt28_high">209 ··<Profile·id="anssi_np_nt28_restrictive">
256 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</title>210 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title>
257 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·storing·sensitive·informations·that·can·be·accessible·from·unauthenticated·or·uncontroled·networks.</description>211 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description>
258 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>212 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>
259 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>213 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>
260 ····<select·idref="package_telnetd_removed"·selected="true"/>214 ····<select·idref="package_telnetd_removed"·selected="true"/>
261 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>215 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>
262 ····<select·idref="package_telnetd-ssl_removed"·selected="true"/>216 ····<select·idref="package_telnetd-ssl_removed"·selected="true"/>
263 ····<select·idref="package_nis_removed"·selected="true"/>217 ····<select·idref="package_nis_removed"·selected="true"/>
264 ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/>218 ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/>
Offset 288, 16 lines modifiedOffset 242, 16 lines modified
288 ····<select·idref="partition_for_var_log"·selected="true"/>242 ····<select·idref="partition_for_var_log"·selected="true"/>
289 ····<select·idref="partition_for_var_log_audit"·selected="true"/>243 ····<select·idref="partition_for_var_log_audit"·selected="true"/>
290 ····<select·idref="partition_for_home"·selected="true"/>244 ····<select·idref="partition_for_home"·selected="true"/>
291 ····<select·idref="package_auditd_installed"·selected="true"/>245 ····<select·idref="package_auditd_installed"·selected="true"/>
292 ····<select·idref="package_cron_installed"·selected="true"/>246 ····<select·idref="package_cron_installed"·selected="true"/>
293 ····<select·idref="service_auditd_enabled"·selected="true"/>247 ····<select·idref="service_auditd_enabled"·selected="true"/>
294 ····<select·idref="service_ntpd_enabled"·selected="true"/>248 ····<select·idref="service_ntpd_enabled"·selected="true"/>
295 ····<select·idref="grub2_enable_iommu_force"·selected="true"/> 
296 ····<select·idref="remediation_functions"·selected="false"/>249 ····<select·idref="remediation_functions"·selected="false"/>
 250 ····<select·idref="hw-install"·selected="false"/>
297 ····<select·idref="rsyslog_sending_messages"·selected="false"/>251 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
298 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>252 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>
299 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>253 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>
300 ··</Profile>254 ··</Profile>
301 ··<Profile·id="anssi_np_nt28_minimal">255 ··<Profile·id="anssi_np_nt28_minimal">
302 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title>256 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title>
303 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description>257 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description>
Offset 312, 28 lines modifiedOffset 266, 74 lines modified
312 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/>266 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/>
313 ····<select·idref="file_permissions_etc_passwd"·selected="true"/>267 ····<select·idref="file_permissions_etc_passwd"·selected="true"/>
314 ····<select·idref="file_permissions_etc_group"·selected="true"/>268 ····<select·idref="file_permissions_etc_group"·selected="true"/>
315 ····<select·idref="remediation_functions"·selected="false"/>269 ····<select·idref="remediation_functions"·selected="false"/>
316 ····<select·idref="basics"·selected="false"/>270 ····<select·idref="basics"·selected="false"/>
317 ····<select·idref="ssh"·selected="false"/>271 ····<select·idref="ssh"·selected="false"/>
318 ····<select·idref="ssh_server"·selected="false"/>272 ····<select·idref="ssh_server"·selected="false"/>
 273 ····<select·idref="hw-install"·selected="false"/>
319 ····<select·idref="logging"·selected="false"/>274 ····<select·idref="logging"·selected="false"/>
320 ····<select·idref="rsyslog_sending_messages"·selected="false"/>275 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
321 ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/>276 ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/>
322 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>277 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>
323 ····<select·idref="log_rotation"·selected="false"/>278 ····<select·idref="log_rotation"·selected="false"/>
324 ····<select·idref="hw-install"·selected="false"/> 
325 ····<select·idref="fs-part"·selected="false"/>279 ····<select·idref="fs-part"·selected="false"/>
326 ····<select·idref="installation-storage-partitioning"·selected="false"/>280 ····<select·idref="installation-storage-partitioning"·selected="false"/>
327 ····<select·idref="fs-restrict"·selected="false"/>281 ····<select·idref="fs-restrict"·selected="false"/>
328 ····<select·idref="permission_important_state_files"·selected="false"/>282 ····<select·idref="permission_important_state_files"·selected="false"/>
329 ····<select·idref="restriction"·selected="false"/>283 ····<select·idref="restriction"·selected="false"/>
330 ····<select·idref="coredumps"·selected="false"/>284 ····<select·idref="coredumps"·selected="false"/>
331 ····<select·idref="enable_execshield_settings"·selected="false"/>285 ····<select·idref="enable_execshield_settings"·selected="false"/>
332 ··</Profile>286 ··</Profile>
 287 ··<Profile·id="anssi_np_nt28_high">
 288 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</title>
Max diff block lines reached; 121029/133381 bytes (90.74%) of diff not shown.
971 KB
ssg-debian_0.1.39-2_all.deb
452 B
file list
    
Offset 1, 3 lines modifiedOffset 1, 3 lines modified
1 -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary1 -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary
2 -rw-r--r--···0········0········0·····1580·2018-07-26·14:58:28.000000·control.tar.xz2 -rw-r--r--···0········0········0·····1584·2018-07-26·14:58:28.000000·control.tar.xz
3 -rw-r--r--···0········0········0···153784·2018-07-26·14:58:28.000000·data.tar.xz3 -rw-r--r--···0········0········0···153688·2018-07-26·14:58:28.000000·data.tar.xz
98.0 B
control.tar.xz
70.0 B
control.tar
48.0 B
./md5sums
30.0 B
./md5sums
Files differ
970 KB
data.tar.xz
970 KB
data.tar
126 KB
./usr/share/doc/ssg-debian/ssg-debian8-guide-anssi_np_nt28_average.html
    
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 185, 44 lines modifiedOffset 185, 44 lines modified
185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
186 class·remove_telnetd-ssl·{186 class·remove_telnetd-ssl·{
187 ··package·{·'telnetd-ssl':187 ··package·{·'telnetd-ssl':
188 ····ensure·=&gt;·'purged',188 ····ensure·=&gt;·'purged',
189 ··}189 ··}
190 }190 }
191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
196 #»      ···from·the·system,·and·may·remove·any·packages196 #»      ···from·the·system,·and·may·remove·any·packages
197 #»      ···that·depend·on·telnetd.·Execute·this197 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
198 #»      ···remediation·AFTER·testing·on·a·non-production198 #»      ···remediation·AFTER·testing·on·a·non-production
199 #»      ···system!199 #»      ···system!
  
200 apt-get·remove·--purge·telnetd200 apt-get·remove·--purge·inetutils-telnetd
201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
202 ··package:202 ··package:
203 ····name="{{item}}"203 ····name="{{item}}"
204 ····state=absent204 ····state=absent
205 ··with_items:205 ··with_items:
206 ····-·telnetd206 ····-·inetutils-telnetd
207 ··tags:207 ··tags:
208 ····-·package_telnetd_removed208 ····-·package_inetutils-telnetd_removed
209 ····-·high_severity209 ····-·high_severity
210 ····-·disable_strategy210 ····-·disable_strategy
211 ····-·low_complexity211 ····-·low_complexity
212 ····-·low_disruption212 ····-·low_disruption
213 ····-·CCE-213 ····-·CCE-
214 ····-·NIST-800-53-AC-17(8)214 ····-·NIST-800-53-AC-17(8)
215 ····-·NIST-800-53-CM-7215 ····-·NIST-800-53-CM-7
216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
217 class·remove_telnetd·{217 class·remove_inetutils-telnetd·{
218 ··package·{·'telnetd':218 ··package·{·'inetutils-telnetd':
219 ····ensure·=&gt;·'purged',219 ····ensure·=&gt;·'purged',
220 ··}220 ··}
221 }221 }
222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service
225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 269, 26 lines modifiedOffset 269, 23 lines modified
269 verified·by·ensuring·that·the·following269 verified·by·ensuring·that·the·following
270 line·appears:270 line·appears:
271 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that271 <pre>Protocol·2</pre></p><span·class="label·label-primary">Rationale:</span><p>SSH·protocol·version·1·suffers·from·design·flaws·that
272 result·in·security·vulnerabilities·and272 result·in·security·vulnerabilities·and
273 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 273 should·not·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
274 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 274 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
275 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 275 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
276 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords276 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(7)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
277 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with277 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
278 empty·passwords,·add·or·correct·the·following·line·in278 edit·<code>/etc/ssh/sshd_config</code>·as
279 <code>/etc/ssh/sshd_config</code>:279 follows:
280 <pre>PermitEmptyPasswords·no</pre>280 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
281 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration281 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
282 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that282 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
283 remote·login·via·SSH·will·require·a·password, 
284 even·in·the·event·of·misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
285 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
286 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 283 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
287 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5097"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval284 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm5099"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
288 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.285 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout·interval.
289 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.286 After·this·interval·has·passed,·the·idle·user·will·be·automatically·logged·out.
290 <br><br>287 <br><br>
291 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as288 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
292 follows:289 follows:
293 <pre>ClientAliveInterval·<b>interval</b></pre>290 <pre>ClientAliveInterval·<b>interval</b></pre>
294 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout291 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout
Offset 298, 23 lines modifiedOffset 295, 26 lines modified
298 shell,·that·value·will·preempt·any·SSH295 shell,·that·value·will·preempt·any·SSH
299 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH296 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
300 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out297 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out
301 guards·against·compromises·one·system·leading·trivially298 guards·against·compromises·one·system·leading·trivially
302 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 299 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
303 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 300 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
304 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 301 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
305 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm5120"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count302 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm5122"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords
306 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,303 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·remote·login·from·accounts·with
307 edit·<code>/etc/ssh/sshd_config</code>·as304 empty·passwords,·add·or·correct·the·following·line·in
Max diff block lines reached; 97587/128487 bytes (75.95%) of diff not shown.
152 KB
./usr/share/doc/ssg-debian/ssg-debian8-guide-anssi_np_nt28_high.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:debianproject:debian:8</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·0px"><small>contains·42·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:debianproject:debian:8</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·0px"><small>contains·42·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Debian·8·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Debian·8·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Debian·8·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Debian·8·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Debian·8·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Debian·8·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Debian·8·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Debian·8·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 185, 44 lines modifiedOffset 185, 44 lines modified
185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
186 class·remove_telnetd-ssl·{186 class·remove_telnetd-ssl·{
187 ··package·{·'telnetd-ssl':187 ··package·{·'telnetd-ssl':
188 ····ensure·=&gt;·'purged',188 ····ensure·=&gt;·'purged',
189 ··}189 ··}
190 }190 }
191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
196 #»      ···from·the·system,·and·may·remove·any·packages196 #»      ···from·the·system,·and·may·remove·any·packages
197 #»      ···that·depend·on·telnetd.·Execute·this197 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
198 #»      ···remediation·AFTER·testing·on·a·non-production198 #»      ···remediation·AFTER·testing·on·a·non-production
199 #»      ···system!199 #»      ···system!
  
200 apt-get·remove·--purge·telnetd200 apt-get·remove·--purge·inetutils-telnetd
201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
202 ··package:202 ··package:
203 ····name="{{item}}"203 ····name="{{item}}"
204 ····state=absent204 ····state=absent
205 ··with_items:205 ··with_items:
206 ····-·telnetd206 ····-·inetutils-telnetd
207 ··tags:207 ··tags:
208 ····-·package_telnetd_removed208 ····-·package_inetutils-telnetd_removed
209 ····-·high_severity209 ····-·high_severity
210 ····-·disable_strategy210 ····-·disable_strategy
211 ····-·low_complexity211 ····-·low_complexity
212 ····-·low_disruption212 ····-·low_disruption
213 ····-·CCE-213 ····-·CCE-
214 ····-·NIST-800-53-AC-17(8)214 ····-·NIST-800-53-AC-17(8)
215 ····-·NIST-800-53-CM-7215 ····-·NIST-800-53-CM-7
216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
217 class·remove_telnetd·{217 class·remove_inetutils-telnetd·{
218 ··package·{·'telnetd':218 ··package·{·'inetutils-telnetd':
219 ····ensure·=&gt;·'purged',219 ····ensure·=&gt;·'purged',
220 ··}220 ··}
221 }221 }
222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service
225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 295, 19 lines modifiedOffset 295, 39 lines modified
295 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd295 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd
  
296 class·install_auditd·{296 class·install_auditd·{
297 ··package·{·'auditd':297 ··package·{·'auditd':
298 ····ensure·=&gt;·'installed',298 ····ensure·=&gt;·'installed',
299 ··}299 ··}
300 }300 }
301 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled"·id="guide-tree-leaf-idm4986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_auditd_enabled">Enable·the·auditd·service301 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntp_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntp_enabled"·id="guide-tree-leaf-idm4986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntp_enabled">Enable·the·ntpd·service
 302 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntp_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 303 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 304 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 305 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntp
 306 ··service:
 307 ····name="{{item}}"
 308 ····enabled="yes"
 309 ····state="started"
 310 ··with_items:
 311 ····-·ntp
 312 ··tags:
 313 ····-·service_ntp_enabled
 314 ····-·high_severity
Max diff block lines reached; 126621/155260 bytes (81.55%) of diff not shown.
61.8 KB
./usr/share/doc/ssg-debian/ssg-debian8-guide-anssi_np_nt28_minimal.html
    
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4914"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed"·id="guide-tree-leaf-idm4914"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">Uninstall·the·ssl·compliant·telnet·server
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon,·even·with·ssl·support,·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet,·even·with·ssl·support,·should·not·be·installed.·When·remote·shell·is·required,·up-to-date·ssh·daemon·can·be·used.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
Offset 155, 44 lines modifiedOffset 155, 44 lines modified
155 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl155 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
156 class·remove_telnetd-ssl·{156 class·remove_telnetd-ssl·{
157 ··package·{·'telnetd-ssl':157 ··package·{·'telnetd-ssl':
158 ····ensure·=&gt;·'purged',158 ····ensure·=&gt;·'purged',
159 ··}159 ··}
160 }160 }
161 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server161 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
162 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 162 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
163 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 163 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
164 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 164 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
165 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd165 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
166 #»      ···from·the·system,·and·may·remove·any·packages166 #»      ···from·the·system,·and·may·remove·any·packages
167 #»      ···that·depend·on·telnetd.·Execute·this167 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
168 #»      ···remediation·AFTER·testing·on·a·non-production168 #»      ···remediation·AFTER·testing·on·a·non-production
169 #»      ···system!169 #»      ···system!
  
170 apt-get·remove·--purge·telnetd170 apt-get·remove·--purge·inetutils-telnetd
171 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed171 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
172 ··package:172 ··package:
173 ····name="{{item}}"173 ····name="{{item}}"
174 ····state=absent174 ····state=absent
175 ··with_items:175 ··with_items:
176 ····-·telnetd176 ····-·inetutils-telnetd
177 ··tags:177 ··tags:
178 ····-·package_telnetd_removed178 ····-·package_inetutils-telnetd_removed
179 ····-·high_severity179 ····-·high_severity
180 ····-·disable_strategy180 ····-·disable_strategy
181 ····-·low_complexity181 ····-·low_complexity
182 ····-·low_disruption182 ····-·low_disruption
183 ····-·CCE-183 ····-·CCE-
184 ····-·NIST-800-53-AC-17(8)184 ····-·NIST-800-53-AC-17(8)
185 ····-·NIST-800-53-CM-7185 ····-·NIST-800-53-CM-7
186 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd186 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
187 class·remove_telnetd·{187 class·remove_inetutils-telnetd·{
188 ··package·{·'telnetd':188 ··package·{·'inetutils-telnetd':
189 ····ensure·=&gt;·'purged',189 ····ensure·=&gt;·'purged',
190 ··}190 ··}
191 }191 }
192 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration192 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration
193 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5164"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration193 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated"·id="guide-tree-leaf-idm5164"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_apt"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">Disable·unauthenticated·repositories·in·APT·configuration
194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update.194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_apt_conf_disallow_unauthenticated">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Unauthenticated·repositories·should·not·be·used·for·updates.</p><span·class="label·label-primary">Rationale:</span><p>Repositories·hosts·all·packages·that·will·be·intsalled·on·the·system·during·update.
195 ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted,195 ····If·a·repository·is·not·authenticated,·the·associated·packages·can't·be·trusted,
Offset 225, 95 lines modifiedOffset 225, 95 lines modified
225 choose.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">Configure·&lt;tt&gt;rsyslogd&lt;/tt&gt;·to·Accept·Remote·Messages·If·Acting·as·a·Log·Server225 choose.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">Configure·&lt;tt&gt;rsyslogd&lt;/tt&gt;·to·Accept·Remote·Messages·If·Acting·as·a·Log·Server
226 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·<code>rsyslog</code>·does·not·listen·over·the·network226 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·<code>rsyslog</code>·does·not·listen·over·the·network
227 for·log·messages.·If·needed,·modules·can·be·enabled·to·allow227 for·log·messages.·If·needed,·modules·can·be·enabled·to·allow
228 the·rsyslog·daemon·to·receive·messages·from·other·systems·and·for·the·system228 the·rsyslog·daemon·to·receive·messages·from·other·systems·and·for·the·system
229 thus·to·act·as·a·log·server.229 thus·to·act·as·a·log·server.
230 If·the·machine·is·not·a·log·server,·then·lines·concerning·these·modules230 If·the·machine·is·not·a·log·server,·then·lines·concerning·these·modules
231 should·remain·commented·out.231 should·remain·commented·out.
232 <br><br></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_syslogng_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_syslogng_installed"·id="guide-tree-leaf-idm5326"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_syslogng_installed">Ensure·syslog-ng·is·Installed232 <br><br></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_syslogng_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_syslogng_enabled"·id="guide-tree-leaf-idm5323"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_syslogng_enabled">Enable·syslog-ng·Service
233 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_syslogng_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>syslog-ng·can·be·installed·in·replacement·of·rsyslog.· 
  
234 ········The·<code>syslog-ng-core</code>·package·can·be·installed·with·the·following·command: 
235 ········<pre>#·apt-get·install·syslog-ng-core</pre></p><span·class="label·label-primary">Rationale:</span><p>The·syslog-ng-core·package·provides·the·syslog-ng·daemon,·which·provides 
236 system·logging·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
237 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
238 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_syslogng_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_syslogng_enabled"·id="guide-tree-leaf-idm5340"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_syslogng_enabled">Enable·syslog-ng·Service 
239 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_syslogng_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>syslog-ng</code>·service·(in·replacement·of·rsyslog)·provides·syslog-style·logging·by·default·on·Debian·8.233 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_syslogng_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>syslog-ng</code>·service·(in·replacement·of·rsyslog)·provides·syslog-style·logging·by·default·on·Debian·8.
  
240 ········The·<code>syslog-ng</code>·service·can·be·enabled·with·the·following·command:234 ········The·<code>syslog-ng</code>·service·can·be·enabled·with·the·following·command:
241 ········<pre>$·sudo·chkconfig·--level·2345·syslog-ng·on</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>syslog-ng</code>·service·must·be·running·in·order·to·provide235 ········<pre>$·sudo·chkconfig·--level·2345·syslog-ng·on</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>syslog-ng</code>·service·must·be·running·in·order·to·provide
242 logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 236 logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
243 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 237 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
244 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.2</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·id="guide-tree-leaf-idm5409"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">Enable·rsyslog·Service238 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.2</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_syslogng_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_syslogng_installed"·id="guide-tree-leaf-idm5342"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_syslogng_installed">Ensure·syslog-ng·is·Installed
 239 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_syslogng_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>syslog-ng·can·be·installed·in·replacement·of·rsyslog.·
  
 240 ········The·<code>syslog-ng-core</code>·package·can·be·installed·with·the·following·command:
 241 ········<pre>#·apt-get·install·syslog-ng-core</pre></p><span·class="label·label-primary">Rationale:</span><p>The·syslog-ng-core·package·provides·the·syslog-ng·daemon,·which·provides
 242 system·logging·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 243 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 244 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"·id="guide-tree-leaf-idm5406"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">Enable·rsyslog·Service
245 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Debian·8.245 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsyslog</code>·service·provides·syslog-style·logging·by·default·on·Debian·8.
  
246 ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command:246 ········The·<code>rsyslog</code>·service·can·be·enabled·with·the·following·command:
247 ········<pre>$·sudo·chkconfig·--level·2345·rsyslog·on</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide247 ········<pre>$·sudo·chkconfig·--level·2345·rsyslog·on</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsyslog</code>·service·must·be·running·in·order·to·provide
248 logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 248 logging·services,·which·are·essential·to·system·administration.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
249 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 249 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
250 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.2</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm5426">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm5426"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·rsyslog250 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</a>,·<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R5)</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf">5.1.2</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001311</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001557</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001851</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm5423">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm5423"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·rsyslog
251 ··service:251 ··service:
Max diff block lines reached; 31769/63172 bytes (50.29%) of diff not shown.
140 KB
./usr/share/doc/ssg-debian/ssg-debian8-guide-anssi_np_nt28_restrictive.html
    
Offset 89, 44 lines modifiedOffset 89, 44 lines modified
89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis89 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
90 class·remove_nis·{90 class·remove_nis·{
91 ··package·{·'nis':91 ··package·{·'nis':
92 ····ensure·=&gt;·'purged',92 ····ensure·=&gt;·'purged',
93 ··}93 ··}
94 }94 }
95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server95 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd99 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
100 #»      ···from·the·system,·and·may·remove·any·packages100 #»      ···from·the·system,·and·may·remove·any·packages
101 #»      ···that·depend·on·inetutils-telnetd.·Execute·this101 #»      ···that·depend·on·telnetd.·Execute·this
102 #»      ···remediation·AFTER·testing·on·a·non-production102 #»      ···remediation·AFTER·testing·on·a·non-production
103 #»      ···system!103 #»      ···system!
  
104 apt-get·remove·--purge·inetutils-telnetd104 apt-get·remove·--purge·telnetd
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
106 ··package:106 ··package:
107 ····name="{{item}}"107 ····name="{{item}}"
108 ····state=absent108 ····state=absent
109 ··with_items:109 ··with_items:
110 ····-·inetutils-telnetd110 ····-·telnetd
111 ··tags:111 ··tags:
112 ····-·package_inetutils-telnetd_removed112 ····-·package_telnetd_removed
113 ····-·high_severity113 ····-·high_severity
114 ····-·disable_strategy114 ····-·disable_strategy
115 ····-·low_complexity115 ····-·low_complexity
116 ····-·low_disruption116 ····-·low_disruption
117 ····-·CCE-117 ····-·CCE-
118 ····-·NIST-800-53-AC-17(8)118 ····-·NIST-800-53-AC-17(8)
119 ····-·NIST-800-53-CM-7119 ····-·NIST-800-53-CM-7
120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd120 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
121 class·remove_inetutils-telnetd·{121 class·remove_telnetd·{
122 ··package·{·'inetutils-telnetd':122 ··package·{·'telnetd':
123 ····ensure·=&gt;·'purged',123 ····ensure·=&gt;·'purged',
124 ··}124 ··}
125 }125 }
126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package126 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 128 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate129 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 185, 44 lines modifiedOffset 185, 44 lines modified
185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl185 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
186 class·remove_telnetd-ssl·{186 class·remove_telnetd-ssl·{
187 ··package·{·'telnetd-ssl':187 ··package·{·'telnetd-ssl':
188 ····ensure·=&gt;·'purged',188 ····ensure·=&gt;·'purged',
189 ··}189 ··}
190 }190 }
191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server191 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd195 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
196 #»      ···from·the·system,·and·may·remove·any·packages196 #»      ···from·the·system,·and·may·remove·any·packages
197 #»      ···that·depend·on·telnetd.·Execute·this197 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
198 #»      ···remediation·AFTER·testing·on·a·non-production198 #»      ···remediation·AFTER·testing·on·a·non-production
199 #»      ···system!199 #»      ···system!
  
200 apt-get·remove·--purge·telnetd200 apt-get·remove·--purge·inetutils-telnetd
201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed201 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
202 ··package:202 ··package:
203 ····name="{{item}}"203 ····name="{{item}}"
204 ····state=absent204 ····state=absent
205 ··with_items:205 ··with_items:
206 ····-·telnetd206 ····-·inetutils-telnetd
207 ··tags:207 ··tags:
208 ····-·package_telnetd_removed208 ····-·package_inetutils-telnetd_removed
209 ····-·high_severity209 ····-·high_severity
210 ····-·disable_strategy210 ····-·disable_strategy
211 ····-·low_complexity211 ····-·low_complexity
212 ····-·low_disruption212 ····-·low_disruption
213 ····-·CCE-213 ····-·CCE-
214 ····-·NIST-800-53-AC-17(8)214 ····-·NIST-800-53-AC-17(8)
215 ····-·NIST-800-53-CM-7215 ····-·NIST-800-53-CM-7
216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd216 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
217 class·remove_telnetd·{217 class·remove_inetutils-telnetd·{
218 ··package·{·'telnetd':218 ··package·{·'inetutils-telnetd':
219 ····ensure·=&gt;·'purged',219 ····ensure·=&gt;·'purged',
220 ··}220 ··}
221 }221 }
222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services222 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.223 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service224 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed"·id="guide-tree-leaf-idm4952"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntp_installed">Install·the·ntp·service
225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 225 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·installed.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 295, 19 lines modifiedOffset 295, 39 lines modified
295 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd295 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd
  
296 class·install_auditd·{296 class·install_auditd·{
297 ··package·{·'auditd':297 ··package·{·'auditd':
298 ····ensure·=&gt;·'installed',298 ····ensure·=&gt;·'installed',
299 ··}299 ··}
300 }300 }
301 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled"·id="guide-tree-leaf-idm4986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_auditd_enabled">Enable·the·auditd·service301 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntp_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntp_enabled"·id="guide-tree-leaf-idm4986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntp_enabled">Enable·the·ntpd·service
 302 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntp_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 303 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 304 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 305 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntp
 306 ··service:
 307 ····name="{{item}}"
 308 ····enabled="yes"
 309 ····state="started"
 310 ··with_items:
 311 ····-·ntp
 312 ··tags:
 313 ····-·service_ntp_enabled
 314 ····-·high_severity
 315 ····-·enable_strategy
 316 ····-·low_complexity
 317 ····-·low_disruption
 318 ····-·CCE-
 319 ····-·NIST-800-53-AU-8(1)
 320 ····-·PCI-DSS-Req-10.4
 321 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled"·id="guide-tree-leaf-idm5000"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_auditd_enabled">Enable·the·auditd·service
302 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_auditd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 322 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_auditd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
303 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 323 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
304 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 324 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
305 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000347</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000157</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000880</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001353</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001462</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001487</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001115</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001454</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000067</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000158</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000831</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001190</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001263</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000120</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001589</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm5017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm5017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·auditd325 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000347</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000157</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000880</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001353</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001462</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001487</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001115</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001454</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000067</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000158</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000831</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001190</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001263</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000120</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001589</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm5031">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm5031"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·auditd
306 ··service:326 ··service:
307 ····name="{{item}}"327 ····name="{{item}}"
308 ····enabled="yes"328 ····enabled="yes"
309 ····state="started"329 ····state="started"
310 ··with_items:330 ··with_items:
Max diff block lines reached; 113939/143305 bytes (79.51%) of diff not shown.
18.3 KB
./usr/share/doc/ssg-debian/ssg-debian8-guide-default.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:debianproject:debian:8</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:debianproject:debian:8</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_basics">Generic·required·services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_apt">APT·service·configuration</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sudo">Access·Control·using·sudo</a></li><li><a·href="#xccdf_org.ssgproject.content_group_fs-part">Hardening·the·filesystem</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
58 the·software·which·Debian·8·installs·on·a·system·and·disable·software·which·is·not·needed.·It58 the·software·which·Debian·8·installs·on·a·system·and·disable·software·which·is·not·needed.·It
59 then·enumerates·the·software·packages·installed·on·a·default·Debian·8·system·and·provides·guidance·about·which59 then·enumerates·the·software·packages·installed·on·a·default·Debian·8·system·and·provides·guidance·about·which
60 ones·can·be·safely·disabled.60 ones·can·be·safely·disabled.
61 <br><br>61 <br><br>
62 Debian·8·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional62 Debian·8·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
Offset 75, 19 lines modifiedOffset 75, 15 lines modified
75 server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed75 server·side·implementation·is·called·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·deployed
76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
77 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration77 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
78 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be78 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
79 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more79 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
80 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration80 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_apt"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_apt">APT·service·configuration
81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_apt">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·apt·service·manage·the·package·management·and·update·of·the·whole·system.·Its·configuration·need·to·be·properly·defined·to·ensure·efficient·security·updates,·packages·and·repository·authentication·and·proper·lifecycle·management.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_apt"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_system"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_system">System·Settings
82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_software"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_system">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Contains·rules·that·check·correct·system·settings.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_system"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-8"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_software">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·following·sections·contain·information·on 
84 security-relevant·choices·during·the·initial·operating·system 
85 installation·process·and·the·setup·of·software 
86 updates.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_logging"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_logging"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_logging">Configure·Syslog 
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_logging">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·syslog·service·has·been·the·default·Unix·logging·mechanism·for
88 many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format,84 many·years.·It·has·a·number·of·downsides,·including·inconsistent·log·format,
89 lack·of·authentication·for·received·messages,·and·lack·of·authentication,85 lack·of·authentication·for·received·messages,·and·lack·of·authentication,
90 encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However,86 encryption,·or·reliable·transport·for·messages·sent·over·a·network.·However,
91 due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by87 due·to·its·long·history,·syslog·is·a·de·facto·standard·which·is·supported·by
92 almost·all·Unix·applications.88 almost·all·Unix·applications.
93 <br>89 <br>
Offset 206, 16 lines modifiedOffset 202, 15 lines modified
206 providing·a·username·and·password·to·a·login·program,·which·tests202 providing·a·username·and·password·to·a·login·program,·which·tests
207 these·values·for·correctness·using·the·<code>/etc/passwd</code>·and203 these·values·for·correctness·using·the·<code>/etc/passwd</code>·and
208 <code>/etc/shadow</code>·files.·Password-based·login·is·vulnerable·to204 <code>/etc/shadow</code>·files.·Password-based·login·is·vulnerable·to
209 guessing·of·weak·passwords,·and·to·sniffing·and·man-in-the-middle205 guessing·of·weak·passwords,·and·to·sniffing·and·man-in-the-middle
210 attacks·against·passwords·entered·over·a·network·or·at·an·insecure206 attacks·against·passwords·entered·over·a·network·or·at·an·insecure
211 console.·Therefore,·mechanisms·for·accessing·accounts·by·entering207 console.·Therefore,·mechanisms·for·accessing·accounts·by·entering
212 usernames·and·passwords·should·be·restricted·to·those·which·are208 usernames·and·passwords·should·be·restricted·to·those·which·are
213 operationally·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage209 operationally·necessary.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_permissions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_permissions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks
214 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_permissions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_permissions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks 
215 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_permissions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Traditional·Unix·security·relies·heavily·on·file·and210 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_permissions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Traditional·Unix·security·relies·heavily·on·file·and
216 directory·permissions·to·prevent·unauthorized·users·from·reading·or211 directory·permissions·to·prevent·unauthorized·users·from·reading·or
217 modifying·files·to·which·they·should·not·have·access.212 modifying·files·to·which·they·should·not·have·access.
218 <br><br>213 <br><br>
219 Several·of·the·commands·in·this·section·search·filesystems214 Several·of·the·commands·in·this·section·search·filesystems
220 for·files·or·directories·with·certain·characteristics,·and·are215 for·files·or·directories·with·certain·characteristics,·and·are
221 intended·to·be·run·on·every·local·partition·on·a·given·system.216 intended·to·be·run·on·every·local·partition·on·a·given·system.
Offset 271, 13 lines modifiedOffset 266, 18 lines modified
271 protection·against·exploitation·of·memory·corruption·errors·such·as·buffer266 protection·against·exploitation·of·memory·corruption·errors·such·as·buffer
272 overflows.·These·features·include·random·placement·of·the·stack·and·other267 overflows.·These·features·include·random·placement·of·the·stack·and·other
273 memory·regions,·prevention·of·execution·in·memory·that·should·only·hold·data,268 memory·regions,·prevention·of·execution·in·memory·that·should·only·hold·data,
274 and·special·handling·of·text·buffers.·These·protections·are·enabled·by·default269 and·special·handling·of·text·buffers.·These·protections·are·enabled·by·default
275 on·32-bit·systems·and·controlled·through·<code>sysctl</code>·variables·270 on·32-bit·systems·and·controlled·through·<code>sysctl</code>·variables·
276 <code>kernel.exec-shield</code>·and·<code>kernel.randomize_va_space</code>.·On·the·latest271 <code>kernel.exec-shield</code>·and·<code>kernel.randomize_va_space</code>.·On·the·latest
277 64-bit·systems,·<code>kernel.exec-shield</code>·cannot·be·enabled·or·disabled·with·272 64-bit·systems,·<code>kernel.exec-shield</code>·cannot·be·enabled·or·disabled·with·
278 <code>sysctl</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_enable_execshield_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restriction"><td·style="padding-left:·76px"></td></tr></tbody></table></div><div·id="rear-matter"><div·class="row·top-spacer-10"><div·class="col-md-12·well·well-lg"><div·class="rear-matter">Red·Hat·and·Red·Hat·Enterprise·Linux·are·either·registered273 <code>sysctl</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_enable_execshield_settings"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_restriction"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_hw-install"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_hw-install">Hardening·the·hardware·usage
 274 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_hw-install">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Hardware·dependent,·but·efficient·against·various·risks.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_hw-install"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_software"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software
 275 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_software">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·following·sections·contain·information·on
 276 security-relevant·choices·during·the·initial·operating·system
 277 installation·process·and·the·setup·of·software
 278 updates.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_software"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td·style="padding-left:·38px"></td></tr></tbody></table></div><div·id="rear-matter"><div·class="row·top-spacer-10"><div·class="col-md-12·well·well-lg"><div·class="rear-matter">Red·Hat·and·Red·Hat·Enterprise·Linux·are·either·registered
279 trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other279 trademarks·or·trademarks·of·Red·Hat,·Inc.·in·the·United·States·and·other
280 countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their280 countries.·All·other·names·are·registered·trademarks·or·trademarks·of·their
281 respective·companies.281 respective·companies.
282 </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit">282 </div></div></div></div></div></div><footer·id="footer"><div·class="container"><p·class="muted·credit">
283 ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html>283 ················Generated·using·<a·href="http://open-scap.org">OpenSCAP</a>·1.2.16</p></div></footer></body></html>
124 KB
./usr/share/doc/ssg-debian/ssg-debian8-guide-standard.html
    
Offset 91, 44 lines modifiedOffset 91, 44 lines modified
91 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis91 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4888">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4888"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_nis
  
92 class·remove_nis·{92 class·remove_nis·{
93 ··package·{·'nis':93 ··package·{·'nis':
94 ····ensure·=&gt;·'purged',94 ····ensure·=&gt;·'purged',
95 ··}95 ··}
96 }96 }
97 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server97 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4891"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server
98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
100 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 100 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
101 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd101 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4899">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4899"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd
102 #»      ···from·the·system,·and·may·remove·any·packages102 #»      ···from·the·system,·and·may·remove·any·packages
103 #»      ···that·depend·on·inetutils-telnetd.·Execute·this103 #»      ···that·depend·on·telnetd.·Execute·this
104 #»      ···remediation·AFTER·testing·on·a·non-production104 #»      ···remediation·AFTER·testing·on·a·non-production
105 #»      ···system!105 #»      ···system!
  
106 apt-get·remove·--purge·inetutils-telnetd106 apt-get·remove·--purge·telnetd
107 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed107 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4900">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4900"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed
108 ··package:108 ··package:
109 ····name="{{item}}"109 ····name="{{item}}"
110 ····state=absent110 ····state=absent
111 ··with_items:111 ··with_items:
112 ····-·inetutils-telnetd112 ····-·telnetd
113 ··tags:113 ··tags:
114 ····-·package_inetutils-telnetd_removed114 ····-·package_telnetd_removed
115 ····-·high_severity115 ····-·high_severity
116 ····-·disable_strategy116 ····-·disable_strategy
117 ····-·low_complexity117 ····-·low_complexity
118 ····-·low_disruption118 ····-·low_disruption
119 ····-·CCE-119 ····-·CCE-
120 ····-·NIST-800-53-AC-17(8)120 ····-·NIST-800-53-AC-17(8)
121 ····-·NIST-800-53-CM-7121 ····-·NIST-800-53-CM-7
122 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd122 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd
  
123 class·remove_inetutils-telnetd·{123 class·remove_telnetd·{
124 ··package·{·'inetutils-telnetd':124 ··package·{·'telnetd':
125 ····ensure·=&gt;·'purged',125 ····ensure·=&gt;·'purged',
126 ··}126 ··}
127 }127 }
128 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package128 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntpdate_removed"·id="guide-tree-leaf-idm4904"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed">Uninstall·the·ntpdate·package
129 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 129 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_ntpdate_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>ntpdate·is·a·historical·ntp·synchronization·client·for·unixes.·It·sould·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>ntpdate·is·an·old·not·security-compliant·ntp·client.·It·should·be·replaced·by·modern·ntp·clients·such·as·ntpd,·able·to·use·cryptographic·mechanisms·integrated·in·NTP.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
130 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 130 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
131 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate131 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4909">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4909"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·ntpdate
Offset 187, 44 lines modifiedOffset 187, 44 lines modified
187 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl187 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4924">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4924"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd-ssl
  
188 class·remove_telnetd-ssl·{188 class·remove_telnetd-ssl·{
189 ··package·{·'telnetd-ssl':189 ··package·{·'telnetd-ssl':
190 ····ensure·=&gt;·'purged',190 ····ensure·=&gt;·'purged',
191 ··}191 ··}
192 }192 }
193 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnetd_removed">Uninstall·the·telnet·server193 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed"·id="guide-tree-leaf-idm4927"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_deprecated"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">Uninstall·the·inet-based·telnet·server
194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·inet-based·telnet·daemon·should·be·uninstalled.</p><span·class="label·label-primary">Rationale:</span><p>telnet·allows·clear·text·communications,·and·does·not·protect·any·data·transmission·between·client·and·server.·Any·confidential·data·can·be·listened·and·no·integrity·checking·is·made.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
195 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 195 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
196 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 196 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
197 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·telnetd197 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4935">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4935"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
198 #»      ···from·the·system,·and·may·remove·any·packages198 #»      ···from·the·system,·and·may·remove·any·packages
199 #»      ···that·depend·on·telnetd.·Execute·this199 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
200 #»      ···remediation·AFTER·testing·on·a·non-production200 #»      ···remediation·AFTER·testing·on·a·non-production
201 #»      ···system!201 #»      ···system!
  
202 apt-get·remove·--purge·telnetd202 apt-get·remove·--purge·inetutils-telnetd
203 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnetd·is·removed203 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·inetutils-telnetd·is·removed
204 ··package:204 ··package:
205 ····name="{{item}}"205 ····name="{{item}}"
206 ····state=absent206 ····state=absent
207 ··with_items:207 ··with_items:
208 ····-·telnetd208 ····-·inetutils-telnetd
209 ··tags:209 ··tags:
210 ····-·package_telnetd_removed210 ····-·package_inetutils-telnetd_removed
211 ····-·high_severity211 ····-·high_severity
212 ····-·disable_strategy212 ····-·disable_strategy
213 ····-·low_complexity213 ····-·low_complexity
214 ····-·low_disruption214 ····-·low_disruption
215 ····-·CCE-215 ····-·CCE-
216 ····-·NIST-800-53-AC-17(8)216 ····-·NIST-800-53-AC-17(8)
217 ····-·NIST-800-53-CM-7217 ····-·NIST-800-53-CM-7
218 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnetd218 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4937">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4937"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_inetutils-telnetd
  
219 class·remove_telnetd·{219 class·remove_inetutils-telnetd·{
220 ··package·{·'telnetd':220 ··package·{·'inetutils-telnetd':
221 ····ensure·=&gt;·'purged',221 ····ensure·=&gt;·'purged',
222 ··}222 ··}
223 }223 }
224 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services224 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_basics"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_basics">Generic·required·services
225 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.225 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_basics">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Some·services·need·to·be·deployed·in·order·to·ensure·basic·verifications·and·reporting·on·GNU/Linux·operating·systems.
226 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4943"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service226 Each·of·these·service·take·part·in·the·administrability·of·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_basics"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_cron_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_cron_enabled"·id="guide-tree-leaf-idm4943"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_cron_enabled">Enable·the·cron·service
227 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 227 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_cron_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·Cron·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·cron·service·allow·periodic·job·execution,·needed·for·almost·all·administrative·tasks·and·services·(software·update,·log·rotating,·etc.).·Access·to·cron·service·should·be·restricted·to·administrative·accounts·only.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
Offset 316, 19 lines modifiedOffset 316, 39 lines modified
316 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd316 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_auditd
  
317 class·install_auditd·{317 class·install_auditd·{
318 ··package·{·'auditd':318 ··package·{·'auditd':
319 ····ensure·=&gt;·'installed',319 ····ensure·=&gt;·'installed',
320 ··}320 ··}
321 }321 }
322 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled"·id="guide-tree-leaf-idm4986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_auditd_enabled">Enable·the·auditd·service322 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntp_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntp_enabled"·id="guide-tree-leaf-idm4986"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntp_enabled">Enable·the·ntpd·service
 323 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntp_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·ntpd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>Time·synchronization·(using·NTP)·is·required·by·almost·all·network·and·administrative·tasks·(syslog,·cryptographic·based·services·(authentication,·etc.),·etc.).·Ntpd·is·regulary·maintained·and·updated,·supporting·security·features·such·as·RFC·5906.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 324 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 325 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 326 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm4995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntp
 327 ··service:
 328 ····name="{{item}}"
 329 ····enabled="yes"
 330 ····state="started"
 331 ··with_items:
 332 ····-·ntp
 333 ··tags:
 334 ····-·service_ntp_enabled
 335 ····-·high_severity
 336 ····-·enable_strategy
 337 ····-·low_complexity
 338 ····-·low_disruption
 339 ····-·CCE-
 340 ····-·NIST-800-53-AU-8(1)
 341 ····-·PCI-DSS-Req-10.4
 342 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_auditd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_auditd_enabled"·id="guide-tree-leaf-idm5000"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_basics"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_auditd_enabled">Enable·the·auditd·service
323 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_auditd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 343 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_auditd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·auditd·service·should·be·enabled.</p><span·class="label·label-primary">Rationale:</span><p>The·auditd·service·is·an·access·monitoring·and·accounting·daemon,·watching·system·calls·to·audit·any·access,·in·comparision·with·potential·local·access·control·policy·such·as·SELinux·policy.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
324 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 344 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
325 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 345 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-">CCE-</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
326 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000347</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000157</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000880</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001353</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001462</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001487</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001115</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001454</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000067</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000158</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000831</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001190</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001263</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000120</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001589</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm5017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm5017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·auditd346 ············<a·href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R50)</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000347</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000157</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000172</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000880</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001353</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001462</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001487</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001115</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001454</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000067</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000158</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000831</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001190</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001312</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001263</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000130</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000120</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001589</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10</a></p></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm5031">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm5031"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·auditd
327 ··service:347 ··service:
328 ····name="{{item}}"348 ····name="{{item}}"
329 ····enabled="yes"349 ····enabled="yes"
330 ····state="started"350 ····state="started"
331 ··with_items:351 ··with_items:
Max diff block lines reached; 97285/126615 bytes (76.84%) of diff not shown.
1.5 KB
./usr/share/scap-security-guide/ansible/ssg-debian8-role-anssi_np_nt28_average.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 90, 22 lines modifiedOffset 90, 22 lines modified
90 ········-·disable_strategy90 ········-·disable_strategy
91 ········-·low_complexity91 ········-·low_complexity
92 ········-·low_disruption92 ········-·low_disruption
93 ········-·CCE-93 ········-·CCE-
94 ········-·NIST-800-53-AC-17(8)94 ········-·NIST-800-53-AC-17(8)
95 ········-·NIST-800-53-CM-795 ········-·NIST-800-53-CM-7
96 ····96 ····
97 ····-·name:·Ensure·telnetd·is·removed97 ····-·name:·Ensure·inetutils-telnetd·is·removed
98 ······package:98 ······package:
99 ········name="{{item}}"99 ········name="{{item}}"
100 ········state=absent100 ········state=absent
101 ······with_items:101 ······with_items:
102 ········-·telnetd102 ········-·inetutils-telnetd
103 ······tags:103 ······tags:
104 ········-·package_telnetd_removed104 ········-·package_inetutils-telnetd_removed
105 ········-·high_severity105 ········-·high_severity
106 ········-·disable_strategy106 ········-·disable_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·low_disruption108 ········-·low_disruption
109 ········-·CCE-109 ········-·CCE-
110 ········-·NIST-800-53-AC-17(8)110 ········-·NIST-800-53-AC-17(8)
111 ········-·NIST-800-53-CM-7111 ········-·NIST-800-53-CM-7
3.2 KB
./usr/share/scap-security-guide/ansible/ssg-debian8-role-anssi_np_nt28_high.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 90, 22 lines modifiedOffset 90, 22 lines modified
90 ········-·disable_strategy90 ········-·disable_strategy
91 ········-·low_complexity91 ········-·low_complexity
92 ········-·low_disruption92 ········-·low_disruption
93 ········-·CCE-93 ········-·CCE-
94 ········-·NIST-800-53-AC-17(8)94 ········-·NIST-800-53-AC-17(8)
95 ········-·NIST-800-53-CM-795 ········-·NIST-800-53-CM-7
96 ····96 ····
97 ····-·name:·Ensure·telnetd·is·removed97 ····-·name:·Ensure·inetutils-telnetd·is·removed
98 ······package:98 ······package:
99 ········name="{{item}}"99 ········name="{{item}}"
100 ········state=absent100 ········state=absent
101 ······with_items:101 ······with_items:
102 ········-·telnetd102 ········-·inetutils-telnetd
103 ······tags:103 ······tags:
104 ········-·package_telnetd_removed104 ········-·package_inetutils-telnetd_removed
105 ········-·high_severity105 ········-·high_severity
106 ········-·disable_strategy106 ········-·disable_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·low_disruption108 ········-·low_disruption
109 ········-·CCE-109 ········-·CCE-
110 ········-·NIST-800-53-AC-17(8)110 ········-·NIST-800-53-AC-17(8)
111 ········-·NIST-800-53-CM-7111 ········-·NIST-800-53-CM-7
Offset 151, 52 lines modifiedOffset 151, 52 lines modified
151 ········-·package_auditd_installed151 ········-·package_auditd_installed
152 ········-·medium_severity152 ········-·medium_severity
153 ········-·enable_strategy153 ········-·enable_strategy
154 ········-·low_complexity154 ········-·low_complexity
155 ········-·low_disruption155 ········-·low_disruption
156 ········-·CCE-156 ········-·CCE-
157 ····157 ····
158 ····-·name:·Enable·service·auditd158 ····-·name:·Enable·service·ntp
159 ······service:159 ······service:
160 ········name="{{item}}"160 ········name="{{item}}"
161 ········enabled="yes"161 ········enabled="yes"
162 ········state="started"162 ········state="started"
163 ······with_items:163 ······with_items:
164 ········-·auditd164 ········-·ntp
165 ······tags:165 ······tags:
166 ········-·service_auditd_enabled166 ········-·service_ntp_enabled
167 ········-·medium_severity167 ········-·high_severity
168 ········-·enable_strategy168 ········-·enable_strategy
169 ········-·low_complexity169 ········-·low_complexity
170 ········-·low_disruption170 ········-·low_disruption
171 ········-·CCE-171 ········-·CCE-
172 ········-·NIST-800-53-AC-17(1)172 ········-·NIST-800-53-AU-8(1)
173 ········-·NIST-800-53-AU-1(b)173 ········-·PCI-DSS-Req-10.4
174 ········-·NIST-800-53-AU-10 
175 ········-·NIST-800-53-AU-12(a) 
176 ········-·NIST-800-53-AU-12(c) 
177 ········-·NIST-800-53-IR-5 
178 ········-·PCI-DSS-Req-10 
179 ····174 ····
180 ····-·name:·Enable·service·ntp175 ····-·name:·Enable·service·auditd
181 ······service:176 ······service:
182 ········name="{{item}}"177 ········name="{{item}}"
183 ········enabled="yes"178 ········enabled="yes"
184 ········state="started"179 ········state="started"
185 ······with_items:180 ······with_items:
186 ········-·ntp181 ········-·auditd
187 ······tags:182 ······tags:
188 ········-·service_ntp_enabled183 ········-·service_auditd_enabled
189 ········-·high_severity184 ········-·medium_severity
190 ········-·enable_strategy185 ········-·enable_strategy
191 ········-·low_complexity186 ········-·low_complexity
192 ········-·low_disruption187 ········-·low_disruption
193 ········-·CCE-188 ········-·CCE-
194 ········-·NIST-800-53-AU-8(1)189 ········-·NIST-800-53-AC-17(1)
195 ········-·PCI-DSS-Req-10.4190 ········-·NIST-800-53-AU-1(b)
 191 ········-·NIST-800-53-AU-10
 192 ········-·NIST-800-53-AU-12(a)
 193 ········-·NIST-800-53-AU-12(c)
 194 ········-·NIST-800-53-IR-5
 195 ········-·PCI-DSS-Req-10
196 ····196 ····
197 ····-·name:·Enable·service·rsyslog197 ····-·name:·Enable·service·rsyslog
198 ······service:198 ······service:
199 ········name="{{item}}"199 ········name="{{item}}"
200 ········enabled="yes"200 ········enabled="yes"
201 ········state="started"201 ········state="started"
202 ······with_items:202 ······with_items:
1.5 KB
./usr/share/scap-security-guide/ansible/ssg-debian8-role-anssi_np_nt28_minimal.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 76, 22 lines modifiedOffset 76, 22 lines modified
76 ········-·disable_strategy76 ········-·disable_strategy
77 ········-·low_complexity77 ········-·low_complexity
78 ········-·low_disruption78 ········-·low_disruption
79 ········-·CCE-79 ········-·CCE-
80 ········-·NIST-800-53-AC-17(8)80 ········-·NIST-800-53-AC-17(8)
81 ········-·NIST-800-53-CM-781 ········-·NIST-800-53-CM-7
82 ····82 ····
83 ····-·name:·Ensure·telnetd·is·removed83 ····-·name:·Ensure·inetutils-telnetd·is·removed
84 ······package:84 ······package:
85 ········name="{{item}}"85 ········name="{{item}}"
86 ········state=absent86 ········state=absent
87 ······with_items:87 ······with_items:
88 ········-·telnetd88 ········-·inetutils-telnetd
89 ······tags:89 ······tags:
90 ········-·package_telnetd_removed90 ········-·package_inetutils-telnetd_removed
91 ········-·high_severity91 ········-·high_severity
92 ········-·disable_strategy92 ········-·disable_strategy
93 ········-·low_complexity93 ········-·low_complexity
94 ········-·low_disruption94 ········-·low_disruption
95 ········-·CCE-95 ········-·CCE-
96 ········-·NIST-800-53-AC-17(8)96 ········-·NIST-800-53-AC-17(8)
97 ········-·NIST-800-53-CM-797 ········-·NIST-800-53-CM-7
3.21 KB
./usr/share/scap-security-guide/ansible/ssg-debian8-role-anssi_np_nt28_restrictive.yml
Ordering differences only
    
Offset 44, 22 lines modifiedOffset 44, 22 lines modified
44 ········-·package_nis_removed44 ········-·package_nis_removed
45 ········-·low_severity45 ········-·low_severity
46 ········-·disable_strategy46 ········-·disable_strategy
47 ········-·low_complexity47 ········-·low_complexity
48 ········-·low_disruption48 ········-·low_disruption
49 ········-·CCE-49 ········-·CCE-
50 ····50 ····
51 ····-·name:·Ensure·inetutils-telnetd·is·removed51 ····-·name:·Ensure·telnetd·is·removed
52 ······package:52 ······package:
53 ········name="{{item}}"53 ········name="{{item}}"
54 ········state=absent54 ········state=absent
55 ······with_items:55 ······with_items:
56 ········-·inetutils-telnetd56 ········-·telnetd
57 ······tags:57 ······tags:
58 ········-·package_inetutils-telnetd_removed58 ········-·package_telnetd_removed
59 ········-·high_severity59 ········-·high_severity
60 ········-·disable_strategy60 ········-·disable_strategy
61 ········-·low_complexity61 ········-·low_complexity
62 ········-·low_disruption62 ········-·low_disruption
63 ········-·CCE-63 ········-·CCE-
64 ········-·NIST-800-53-AC-17(8)64 ········-·NIST-800-53-AC-17(8)
65 ········-·NIST-800-53-CM-765 ········-·NIST-800-53-CM-7
Offset 90, 22 lines modifiedOffset 90, 22 lines modified
90 ········-·disable_strategy90 ········-·disable_strategy
91 ········-·low_complexity91 ········-·low_complexity
92 ········-·low_disruption92 ········-·low_disruption
93 ········-·CCE-93 ········-·CCE-
94 ········-·NIST-800-53-AC-17(8)94 ········-·NIST-800-53-AC-17(8)
95 ········-·NIST-800-53-CM-795 ········-·NIST-800-53-CM-7
96 ····96 ····
97 ····-·name:·Ensure·telnetd·is·removed97 ····-·name:·Ensure·inetutils-telnetd·is·removed
98 ······package:98 ······package:
99 ········name="{{item}}"99 ········name="{{item}}"
100 ········state=absent100 ········state=absent
101 ······with_items:101 ······with_items:
102 ········-·telnetd102 ········-·inetutils-telnetd
103 ······tags:103 ······tags:
104 ········-·package_telnetd_removed104 ········-·package_inetutils-telnetd_removed
105 ········-·high_severity105 ········-·high_severity
106 ········-·disable_strategy106 ········-·disable_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·low_disruption108 ········-·low_disruption
109 ········-·CCE-109 ········-·CCE-
110 ········-·NIST-800-53-AC-17(8)110 ········-·NIST-800-53-AC-17(8)
111 ········-·NIST-800-53-CM-7111 ········-·NIST-800-53-CM-7
Offset 151, 52 lines modifiedOffset 151, 52 lines modified
151 ········-·package_auditd_installed151 ········-·package_auditd_installed
152 ········-·medium_severity152 ········-·medium_severity
153 ········-·enable_strategy153 ········-·enable_strategy
154 ········-·low_complexity154 ········-·low_complexity
155 ········-·low_disruption155 ········-·low_disruption
156 ········-·CCE-156 ········-·CCE-
157 ····157 ····
158 ····-·name:·Enable·service·auditd158 ····-·name:·Enable·service·ntp
159 ······service:159 ······service:
160 ········name="{{item}}"160 ········name="{{item}}"
161 ········enabled="yes"161 ········enabled="yes"
162 ········state="started"162 ········state="started"
163 ······with_items:163 ······with_items:
164 ········-·auditd164 ········-·ntp
165 ······tags:165 ······tags:
166 ········-·service_auditd_enabled166 ········-·service_ntp_enabled
167 ········-·medium_severity167 ········-·high_severity
168 ········-·enable_strategy168 ········-·enable_strategy
169 ········-·low_complexity169 ········-·low_complexity
170 ········-·low_disruption170 ········-·low_disruption
171 ········-·CCE-171 ········-·CCE-
172 ········-·NIST-800-53-AC-17(1)172 ········-·NIST-800-53-AU-8(1)
173 ········-·NIST-800-53-AU-1(b)173 ········-·PCI-DSS-Req-10.4
174 ········-·NIST-800-53-AU-10 
175 ········-·NIST-800-53-AU-12(a) 
176 ········-·NIST-800-53-AU-12(c) 
177 ········-·NIST-800-53-IR-5 
178 ········-·PCI-DSS-Req-10 
179 ····174 ····
180 ····-·name:·Enable·service·ntp175 ····-·name:·Enable·service·auditd
181 ······service:176 ······service:
182 ········name="{{item}}"177 ········name="{{item}}"
183 ········enabled="yes"178 ········enabled="yes"
184 ········state="started"179 ········state="started"
185 ······with_items:180 ······with_items:
186 ········-·ntp181 ········-·auditd
187 ······tags:182 ······tags:
188 ········-·service_ntp_enabled183 ········-·service_auditd_enabled
189 ········-·high_severity184 ········-·medium_severity
190 ········-·enable_strategy185 ········-·enable_strategy
191 ········-·low_complexity186 ········-·low_complexity
192 ········-·low_disruption187 ········-·low_disruption
193 ········-·CCE-188 ········-·CCE-
194 ········-·NIST-800-53-AU-8(1)189 ········-·NIST-800-53-AC-17(1)
195 ········-·PCI-DSS-Req-10.4190 ········-·NIST-800-53-AU-1(b)
 191 ········-·NIST-800-53-AU-10
 192 ········-·NIST-800-53-AU-12(a)
 193 ········-·NIST-800-53-AU-12(c)
 194 ········-·NIST-800-53-IR-5
 195 ········-·PCI-DSS-Req-10
196 ····196 ····
197 ····-·name:·Enable·service·rsyslog197 ····-·name:·Enable·service·rsyslog
198 ······service:198 ······service:
199 ········name="{{item}}"199 ········name="{{item}}"
200 ········enabled="yes"200 ········enabled="yes"
201 ········state="started"201 ········state="started"
202 ······with_items:202 ······with_items:
3.18 KB
./usr/share/scap-security-guide/ansible/ssg-debian8-role-standard.yml
Ordering differences only
    
Offset 46, 22 lines modifiedOffset 46, 22 lines modified
46 ········-·package_nis_removed46 ········-·package_nis_removed
47 ········-·low_severity47 ········-·low_severity
48 ········-·disable_strategy48 ········-·disable_strategy
49 ········-·low_complexity49 ········-·low_complexity
50 ········-·low_disruption50 ········-·low_disruption
51 ········-·CCE-51 ········-·CCE-
52 ····52 ····
53 ····-·name:·Ensure·inetutils-telnetd·is·removed53 ····-·name:·Ensure·telnetd·is·removed
54 ······package:54 ······package:
55 ········name="{{item}}"55 ········name="{{item}}"
56 ········state=absent56 ········state=absent
57 ······with_items:57 ······with_items:
58 ········-·inetutils-telnetd58 ········-·telnetd
59 ······tags:59 ······tags:
60 ········-·package_inetutils-telnetd_removed60 ········-·package_telnetd_removed
61 ········-·high_severity61 ········-·high_severity
62 ········-·disable_strategy62 ········-·disable_strategy
63 ········-·low_complexity63 ········-·low_complexity
64 ········-·low_disruption64 ········-·low_disruption
65 ········-·CCE-65 ········-·CCE-
66 ········-·NIST-800-53-AC-17(8)66 ········-·NIST-800-53-AC-17(8)
67 ········-·NIST-800-53-CM-767 ········-·NIST-800-53-CM-7
Offset 92, 22 lines modifiedOffset 92, 22 lines modified
92 ········-·disable_strategy92 ········-·disable_strategy
93 ········-·low_complexity93 ········-·low_complexity
94 ········-·low_disruption94 ········-·low_disruption
95 ········-·CCE-95 ········-·CCE-
96 ········-·NIST-800-53-AC-17(8)96 ········-·NIST-800-53-AC-17(8)
97 ········-·NIST-800-53-CM-797 ········-·NIST-800-53-CM-7
98 ····98 ····
99 ····-·name:·Ensure·telnetd·is·removed99 ····-·name:·Ensure·inetutils-telnetd·is·removed
100 ······package:100 ······package:
101 ········name="{{item}}"101 ········name="{{item}}"
102 ········state=absent102 ········state=absent
103 ······with_items:103 ······with_items:
104 ········-·telnetd104 ········-·inetutils-telnetd
105 ······tags:105 ······tags:
106 ········-·package_telnetd_removed106 ········-·package_inetutils-telnetd_removed
107 ········-·high_severity107 ········-·high_severity
108 ········-·disable_strategy108 ········-·disable_strategy
109 ········-·low_complexity109 ········-·low_complexity
110 ········-·low_disruption110 ········-·low_disruption
111 ········-·CCE-111 ········-·CCE-
112 ········-·NIST-800-53-AC-17(8)112 ········-·NIST-800-53-AC-17(8)
113 ········-·NIST-800-53-CM-7113 ········-·NIST-800-53-CM-7
Offset 169, 52 lines modifiedOffset 169, 52 lines modified
169 ········-·package_auditd_installed169 ········-·package_auditd_installed
170 ········-·medium_severity170 ········-·medium_severity
171 ········-·enable_strategy171 ········-·enable_strategy
172 ········-·low_complexity172 ········-·low_complexity
173 ········-·low_disruption173 ········-·low_disruption
174 ········-·CCE-174 ········-·CCE-
175 ····175 ····
176 ····-·name:·Enable·service·auditd176 ····-·name:·Enable·service·ntp
177 ······service:177 ······service:
178 ········name="{{item}}"178 ········name="{{item}}"
179 ········enabled="yes"179 ········enabled="yes"
180 ········state="started"180 ········state="started"
181 ······with_items:181 ······with_items:
182 ········-·auditd182 ········-·ntp
183 ······tags:183 ······tags:
184 ········-·service_auditd_enabled184 ········-·service_ntp_enabled
185 ········-·medium_severity185 ········-·high_severity
186 ········-·enable_strategy186 ········-·enable_strategy
187 ········-·low_complexity187 ········-·low_complexity
188 ········-·low_disruption188 ········-·low_disruption
189 ········-·CCE-189 ········-·CCE-
190 ········-·NIST-800-53-AC-17(1)190 ········-·NIST-800-53-AU-8(1)
191 ········-·NIST-800-53-AU-1(b)191 ········-·PCI-DSS-Req-10.4
192 ········-·NIST-800-53-AU-10 
193 ········-·NIST-800-53-AU-12(a) 
194 ········-·NIST-800-53-AU-12(c) 
195 ········-·NIST-800-53-IR-5 
196 ········-·PCI-DSS-Req-10 
197 ····192 ····
198 ····-·name:·Enable·service·ntp193 ····-·name:·Enable·service·auditd
199 ······service:194 ······service:
200 ········name="{{item}}"195 ········name="{{item}}"
201 ········enabled="yes"196 ········enabled="yes"
202 ········state="started"197 ········state="started"
203 ······with_items:198 ······with_items:
204 ········-·ntp199 ········-·auditd
205 ······tags:200 ······tags:
206 ········-·service_ntp_enabled201 ········-·service_auditd_enabled
207 ········-·high_severity202 ········-·medium_severity
208 ········-·enable_strategy203 ········-·enable_strategy
209 ········-·low_complexity204 ········-·low_complexity
210 ········-·low_disruption205 ········-·low_disruption
211 ········-·CCE-206 ········-·CCE-
212 ········-·NIST-800-53-AU-8(1)207 ········-·NIST-800-53-AC-17(1)
213 ········-·PCI-DSS-Req-10.4208 ········-·NIST-800-53-AU-1(b)
 209 ········-·NIST-800-53-AU-10
 210 ········-·NIST-800-53-AU-12(a)
 211 ········-·NIST-800-53-AU-12(c)
 212 ········-·NIST-800-53-IR-5
 213 ········-·PCI-DSS-Req-10
214 ····214 ····
215 ····-·name:·Enable·service·rsyslog215 ····-·name:·Enable·service·rsyslog
216 ······service:216 ······service:
217 ········name="{{item}}"217 ········name="{{item}}"
218 ········enabled="yes"218 ········enabled="yes"
219 ········state="started"219 ········state="started"
220 ······with_items:220 ······with_items:
6.62 KB
./usr/share/scap-security-guide/bash/ssg-debian8-role-anssi_np_nt28_average.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·37)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·37)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/37:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/37:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed'47 #·BEGIN·fix·(3·/·37)·for·'package_ntpdate_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'")49 (>&2·echo·"Remediating·rule·3/37:·'package_ntpdate_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·ntpdate50 #·CAUTION:·This·remediation·script·will·remove·ntpdate
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 70, 25 lines modifiedOffset 70, 25 lines modified
70 #»      ···remediation·AFTER·testing·on·a·non-production70 #»      ···remediation·AFTER·testing·on·a·non-production
71 #»      ···system!71 #»      ···system!
  
72 apt-get·remove·--purge·telnetd-ssl72 apt-get·remove·--purge·telnetd-ssl
73 #·END·fix·for·'package_telnetd-ssl_removed'73 #·END·fix·for·'package_telnetd-ssl_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(5·/·37)·for·'package_telnetd_removed'75 #·BEGIN·fix·(5·/·37)·for·'package_inetutils-telnetd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·5/37:·'package_telnetd_removed'")77 (>&2·echo·"Remediating·rule·5/37:·'package_inetutils-telnetd_removed'")
78 #·CAUTION:·This·remediation·script·will·remove·telnetd78 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
79 #»      ···from·the·system,·and·may·remove·any·packages79 #»      ···from·the·system,·and·may·remove·any·packages
80 #»      ···that·depend·on·telnetd.·Execute·this80 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
81 #»      ···remediation·AFTER·testing·on·a·non-production81 #»      ···remediation·AFTER·testing·on·a·non-production
82 #»      ···system!82 #»      ···system!
  
83 apt-get·remove·--purge·telnetd83 apt-get·remove·--purge·inetutils-telnetd
84 #·END·fix·for·'package_telnetd_removed'84 #·END·fix·for·'package_inetutils-telnetd_removed'
  
85 ###############################################################################85 ###############################################################################
86 #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed'86 #·BEGIN·fix·(6·/·37)·for·'package_ntp_installed'
87 ###############################################################################87 ###############################################################################
88 (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'")88 (>&2·echo·"Remediating·rule·6/37:·'package_ntp_installed'")
89 #·FIX·FOR·THIS·RULE·IS·MISSING89 #·FIX·FOR·THIS·RULE·IS·MISSING
90 #·END·fix·for·'package_ntp_installed'90 #·END·fix·for·'package_ntp_installed'
Offset 97, 33 lines modifiedOffset 97, 33 lines modified
97 #·BEGIN·fix·(7·/·37)·for·'sshd_allow_only_protocol2'97 #·BEGIN·fix·(7·/·37)·for·'sshd_allow_only_protocol2'
98 ###############################################################################98 ###############################################################################
99 (>&2·echo·"Remediating·rule·7/37:·'sshd_allow_only_protocol2'")99 (>&2·echo·"Remediating·rule·7/37:·'sshd_allow_only_protocol2'")
100 #·FIX·FOR·THIS·RULE·IS·MISSING100 #·FIX·FOR·THIS·RULE·IS·MISSING
101 #·END·fix·for·'sshd_allow_only_protocol2'101 #·END·fix·for·'sshd_allow_only_protocol2'
  
102 ###############################################################################102 ###############################################################################
103 #·BEGIN·fix·(8·/·37)·for·'sshd_disable_empty_passwords'103 #·BEGIN·fix·(8·/·37)·for·'sshd_set_keepalive'
104 ###############################################################################104 ###############################################################################
105 (>&2·echo·"Remediating·rule·8/37:·'sshd_disable_empty_passwords'")105 (>&2·echo·"Remediating·rule·8/37:·'sshd_set_keepalive'")
106 #·FIX·FOR·THIS·RULE·IS·MISSING106 #·FIX·FOR·THIS·RULE·IS·MISSING
107 #·END·fix·for·'sshd_disable_empty_passwords'107 #·END·fix·for·'sshd_set_keepalive'
  
108 ###############################################################################108 ###############################################################################
109 #·BEGIN·fix·(9·/·37)·for·'sshd_set_idle_timeout'109 #·BEGIN·fix·(9·/·37)·for·'sshd_set_idle_timeout'
110 ###############################################################################110 ###############################################################################
111 (>&2·echo·"Remediating·rule·9/37:·'sshd_set_idle_timeout'")111 (>&2·echo·"Remediating·rule·9/37:·'sshd_set_idle_timeout'")
112 #·FIX·FOR·THIS·RULE·IS·MISSING112 #·FIX·FOR·THIS·RULE·IS·MISSING
113 #·END·fix·for·'sshd_set_idle_timeout'113 #·END·fix·for·'sshd_set_idle_timeout'
  
114 ###############################################################################114 ###############################################################################
115 #·BEGIN·fix·(10·/·37)·for·'sshd_set_keepalive'115 #·BEGIN·fix·(10·/·37)·for·'sshd_disable_empty_passwords'
116 ###############################################################################116 ###############################################################################
117 (>&2·echo·"Remediating·rule·10/37:·'sshd_set_keepalive'")117 (>&2·echo·"Remediating·rule·10/37:·'sshd_disable_empty_passwords'")
118 #·FIX·FOR·THIS·RULE·IS·MISSING118 #·FIX·FOR·THIS·RULE·IS·MISSING
119 #·END·fix·for·'sshd_set_keepalive'119 #·END·fix·for·'sshd_disable_empty_passwords'
  
120 ###############################################################################120 ###############################################################################
121 #·BEGIN·fix·(11·/·37)·for·'sshd_disable_root_login'121 #·BEGIN·fix·(11·/·37)·for·'sshd_disable_root_login'
122 ###############################################################################122 ###############################################################################
123 (>&2·echo·"Remediating·rule·11/37:·'sshd_disable_root_login'")123 (>&2·echo·"Remediating·rule·11/37:·'sshd_disable_root_login'")
124 #·FIX·FOR·THIS·RULE·IS·MISSING124 #·FIX·FOR·THIS·RULE·IS·MISSING
125 #·END·fix·for·'sshd_disable_root_login'125 #·END·fix·for·'sshd_disable_root_login'
Offset 160, 26 lines modifiedOffset 160, 26 lines modified
160 #·BEGIN·fix·(16·/·37)·for·'rsyslog_files_groupownership'160 #·BEGIN·fix·(16·/·37)·for·'rsyslog_files_groupownership'
161 ###############################################################################161 ###############################################################################
162 (>&2·echo·"Remediating·rule·16/37:·'rsyslog_files_groupownership'")162 (>&2·echo·"Remediating·rule·16/37:·'rsyslog_files_groupownership'")
163 #·FIX·FOR·THIS·RULE·IS·MISSING163 #·FIX·FOR·THIS·RULE·IS·MISSING
164 #·END·fix·for·'rsyslog_files_groupownership'164 #·END·fix·for·'rsyslog_files_groupownership'
  
165 ###############################################################################165 ###############################################################################
166 #·BEGIN·fix·(17·/·37)·for·'package_syslogng_installed'166 #·BEGIN·fix·(17·/·37)·for·'service_syslogng_enabled'
167 ###############################################################################167 ###############################################################################
168 (>&2·echo·"Remediating·rule·17/37:·'package_syslogng_installed'")168 (>&2·echo·"Remediating·rule·17/37:·'service_syslogng_enabled'")
169 #·FIX·FOR·THIS·RULE·IS·MISSING169 #·FIX·FOR·THIS·RULE·IS·MISSING
170 #·END·fix·for·'package_syslogng_installed'170 #·END·fix·for·'service_syslogng_enabled'
  
171 ###############################################################################171 ###############################################################################
172 #·BEGIN·fix·(18·/·37)·for·'service_syslogng_enabled'172 #·BEGIN·fix·(18·/·37)·for·'package_syslogng_installed'
173 ###############################################################################173 ###############################################################################
174 (>&2·echo·"Remediating·rule·18/37:·'service_syslogng_enabled'")174 (>&2·echo·"Remediating·rule·18/37:·'package_syslogng_installed'")
175 #·FIX·FOR·THIS·RULE·IS·MISSING175 #·FIX·FOR·THIS·RULE·IS·MISSING
176 #·END·fix·for·'service_syslogng_enabled'176 #·END·fix·for·'package_syslogng_installed'
  
177 ###############################################################################177 ###############################################################################
178 #·BEGIN·fix·(19·/·37)·for·'ensure_logrotate_activated'178 #·BEGIN·fix·(19·/·37)·for·'ensure_logrotate_activated'
179 ###############################################################################179 ###############################################################################
180 (>&2·echo·"Remediating·rule·19/37:·'ensure_logrotate_activated'")180 (>&2·echo·"Remediating·rule·19/37:·'ensure_logrotate_activated'")
181 #·FIX·FOR·THIS·RULE·IS·MISSING181 #·FIX·FOR·THIS·RULE·IS·MISSING
182 #·END·fix·for·'ensure_logrotate_activated'182 #·END·fix·for·'ensure_logrotate_activated'
12.3 KB
./usr/share/scap-security-guide/bash/ssg-debian8-role-anssi_np_nt28_high.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·42)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·42)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/42:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/42:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·42)·for·'package_ntpdate_removed'47 #·BEGIN·fix·(3·/·42)·for·'package_ntpdate_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/42:·'package_ntpdate_removed'")49 (>&2·echo·"Remediating·rule·3/42:·'package_ntpdate_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·ntpdate50 #·CAUTION:·This·remediation·script·will·remove·ntpdate
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 70, 25 lines modifiedOffset 70, 25 lines modified
70 #»      ···remediation·AFTER·testing·on·a·non-production70 #»      ···remediation·AFTER·testing·on·a·non-production
71 #»      ···system!71 #»      ···system!
  
72 apt-get·remove·--purge·telnetd-ssl72 apt-get·remove·--purge·telnetd-ssl
73 #·END·fix·for·'package_telnetd-ssl_removed'73 #·END·fix·for·'package_telnetd-ssl_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(5·/·42)·for·'package_telnetd_removed'75 #·BEGIN·fix·(5·/·42)·for·'package_inetutils-telnetd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·5/42:·'package_telnetd_removed'")77 (>&2·echo·"Remediating·rule·5/42:·'package_inetutils-telnetd_removed'")
78 #·CAUTION:·This·remediation·script·will·remove·telnetd78 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
79 #»      ···from·the·system,·and·may·remove·any·packages79 #»      ···from·the·system,·and·may·remove·any·packages
80 #»      ···that·depend·on·telnetd.·Execute·this80 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
81 #»      ···remediation·AFTER·testing·on·a·non-production81 #»      ···remediation·AFTER·testing·on·a·non-production
82 #»      ···system!82 #»      ···system!
  
83 apt-get·remove·--purge·telnetd83 apt-get·remove·--purge·inetutils-telnetd
84 #·END·fix·for·'package_telnetd_removed'84 #·END·fix·for·'package_inetutils-telnetd_removed'
  
85 ###############################################################################85 ###############################################################################
86 #·BEGIN·fix·(6·/·42)·for·'package_ntp_installed'86 #·BEGIN·fix·(6·/·42)·for·'package_ntp_installed'
87 ###############################################################################87 ###############################################################################
88 (>&2·echo·"Remediating·rule·6/42:·'package_ntp_installed'")88 (>&2·echo·"Remediating·rule·6/42:·'package_ntp_installed'")
89 #·FIX·FOR·THIS·RULE·IS·MISSING89 #·FIX·FOR·THIS·RULE·IS·MISSING
90 #·END·fix·for·'package_ntp_installed'90 #·END·fix·for·'package_ntp_installed'
Offset 104, 54 lines modifiedOffset 104, 54 lines modified
104 #·BEGIN·fix·(8·/·42)·for·'package_auditd_installed'104 #·BEGIN·fix·(8·/·42)·for·'package_auditd_installed'
105 ###############################################################################105 ###############################################################################
106 (>&2·echo·"Remediating·rule·8/42:·'package_auditd_installed'")106 (>&2·echo·"Remediating·rule·8/42:·'package_auditd_installed'")
107 #·FIX·FOR·THIS·RULE·IS·MISSING107 #·FIX·FOR·THIS·RULE·IS·MISSING
108 #·END·fix·for·'package_auditd_installed'108 #·END·fix·for·'package_auditd_installed'
  
109 ###############################################################################109 ###############################################################################
110 #·BEGIN·fix·(9·/·42)·for·'service_auditd_enabled'110 #·BEGIN·fix·(9·/·42)·for·'service_ntp_enabled'
111 ###############################################################################111 ###############################################################################
112 (>&2·echo·"Remediating·rule·9/42:·'service_auditd_enabled'")112 (>&2·echo·"Remediating·rule·9/42:·'service_ntp_enabled'")
113 #·FIX·FOR·THIS·RULE·IS·MISSING113 #·FIX·FOR·THIS·RULE·IS·MISSING
114 #·END·fix·for·'service_auditd_enabled'114 #·END·fix·for·'service_ntp_enabled'
  
115 ###############################################################################115 ###############################################################################
116 #·BEGIN·fix·(10·/·42)·for·'service_ntp_enabled'116 #·BEGIN·fix·(10·/·42)·for·'service_auditd_enabled'
117 ###############################################################################117 ###############################################################################
118 (>&2·echo·"Remediating·rule·10/42:·'service_ntp_enabled'")118 (>&2·echo·"Remediating·rule·10/42:·'service_auditd_enabled'")
119 #·FIX·FOR·THIS·RULE·IS·MISSING119 #·FIX·FOR·THIS·RULE·IS·MISSING
120 #·END·fix·for·'service_ntp_enabled'120 #·END·fix·for·'service_auditd_enabled'
  
121 ###############################################################################121 ###############################################################################
122 #·BEGIN·fix·(11·/·42)·for·'sshd_allow_only_protocol2'122 #·BEGIN·fix·(11·/·42)·for·'sshd_allow_only_protocol2'
123 ###############################################################################123 ###############################################################################
124 (>&2·echo·"Remediating·rule·11/42:·'sshd_allow_only_protocol2'")124 (>&2·echo·"Remediating·rule·11/42:·'sshd_allow_only_protocol2'")
125 #·FIX·FOR·THIS·RULE·IS·MISSING125 #·FIX·FOR·THIS·RULE·IS·MISSING
126 #·END·fix·for·'sshd_allow_only_protocol2'126 #·END·fix·for·'sshd_allow_only_protocol2'
  
127 ###############################################################################127 ###############################################################################
128 #·BEGIN·fix·(12·/·42)·for·'sshd_disable_empty_passwords'128 #·BEGIN·fix·(12·/·42)·for·'sshd_set_keepalive'
129 ###############################################################################129 ###############################################################################
130 (>&2·echo·"Remediating·rule·12/42:·'sshd_disable_empty_passwords'")130 (>&2·echo·"Remediating·rule·12/42:·'sshd_set_keepalive'")
131 #·FIX·FOR·THIS·RULE·IS·MISSING131 #·FIX·FOR·THIS·RULE·IS·MISSING
132 #·END·fix·for·'sshd_disable_empty_passwords'132 #·END·fix·for·'sshd_set_keepalive'
  
133 ###############################################################################133 ###############################################################################
134 #·BEGIN·fix·(13·/·42)·for·'sshd_set_idle_timeout'134 #·BEGIN·fix·(13·/·42)·for·'sshd_set_idle_timeout'
135 ###############################################################################135 ###############################################################################
136 (>&2·echo·"Remediating·rule·13/42:·'sshd_set_idle_timeout'")136 (>&2·echo·"Remediating·rule·13/42:·'sshd_set_idle_timeout'")
137 #·FIX·FOR·THIS·RULE·IS·MISSING137 #·FIX·FOR·THIS·RULE·IS·MISSING
138 #·END·fix·for·'sshd_set_idle_timeout'138 #·END·fix·for·'sshd_set_idle_timeout'
  
139 ###############################################################################139 ###############################################################################
140 #·BEGIN·fix·(14·/·42)·for·'sshd_set_keepalive'140 #·BEGIN·fix·(14·/·42)·for·'sshd_disable_empty_passwords'
141 ###############################################################################141 ###############################################################################
142 (>&2·echo·"Remediating·rule·14/42:·'sshd_set_keepalive'")142 (>&2·echo·"Remediating·rule·14/42:·'sshd_disable_empty_passwords'")
143 #·FIX·FOR·THIS·RULE·IS·MISSING143 #·FIX·FOR·THIS·RULE·IS·MISSING
144 #·END·fix·for·'sshd_set_keepalive'144 #·END·fix·for·'sshd_disable_empty_passwords'
  
145 ###############################################################################145 ###############################################################################
146 #·BEGIN·fix·(15·/·42)·for·'sshd_disable_root_login'146 #·BEGIN·fix·(15·/·42)·for·'sshd_disable_root_login'
147 ###############################################################################147 ###############################################################################
148 (>&2·echo·"Remediating·rule·15/42:·'sshd_disable_root_login'")148 (>&2·echo·"Remediating·rule·15/42:·'sshd_disable_root_login'")
149 #·FIX·FOR·THIS·RULE·IS·MISSING149 #·FIX·FOR·THIS·RULE·IS·MISSING
150 #·END·fix·for·'sshd_disable_root_login'150 #·END·fix·for·'sshd_disable_root_login'
Offset 188, 26 lines modifiedOffset 188, 26 lines modified
188 #·BEGIN·fix·(20·/·42)·for·'rsyslog_files_groupownership'188 #·BEGIN·fix·(20·/·42)·for·'rsyslog_files_groupownership'
189 ###############################################################################189 ###############################################################################
190 (>&2·echo·"Remediating·rule·20/42:·'rsyslog_files_groupownership'")190 (>&2·echo·"Remediating·rule·20/42:·'rsyslog_files_groupownership'")
191 #·FIX·FOR·THIS·RULE·IS·MISSING191 #·FIX·FOR·THIS·RULE·IS·MISSING
192 #·END·fix·for·'rsyslog_files_groupownership'192 #·END·fix·for·'rsyslog_files_groupownership'
  
193 ###############################################################################193 ###############################################################################
194 #·BEGIN·fix·(21·/·42)·for·'package_syslogng_installed'194 #·BEGIN·fix·(21·/·42)·for·'service_syslogng_enabled'
195 ###############################################################################195 ###############################################################################
196 (>&2·echo·"Remediating·rule·21/42:·'package_syslogng_installed'")196 (>&2·echo·"Remediating·rule·21/42:·'service_syslogng_enabled'")
197 #·FIX·FOR·THIS·RULE·IS·MISSING197 #·FIX·FOR·THIS·RULE·IS·MISSING
198 #·END·fix·for·'package_syslogng_installed'198 #·END·fix·for·'service_syslogng_enabled'
  
199 ###############################################################################199 ###############################################################################
200 #·BEGIN·fix·(22·/·42)·for·'service_syslogng_enabled'200 #·BEGIN·fix·(22·/·42)·for·'package_syslogng_installed'
201 ###############################################################################201 ###############################################################################
202 (>&2·echo·"Remediating·rule·22/42:·'service_syslogng_enabled'")202 (>&2·echo·"Remediating·rule·22/42:·'package_syslogng_installed'")
203 #·FIX·FOR·THIS·RULE·IS·MISSING203 #·FIX·FOR·THIS·RULE·IS·MISSING
204 #·END·fix·for·'service_syslogng_enabled'204 #·END·fix·for·'package_syslogng_installed'
  
Max diff block lines reached; 4709/12406 bytes (37.96%) of diff not shown.
4.67 KB
./usr/share/scap-security-guide/bash/ssg-debian8-role-anssi_np_nt28_minimal.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·16)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·16)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/16:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/16:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·16)·for·'package_telnetd-ssl_removed'47 #·BEGIN·fix·(3·/·16)·for·'package_telnetd-ssl_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/16:·'package_telnetd-ssl_removed'")49 (>&2·echo·"Remediating·rule·3/16:·'package_telnetd-ssl_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl50 #·CAUTION:·This·remediation·script·will·remove·telnetd-ssl
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 57, 25 lines modifiedOffset 57, 25 lines modified
57 #»      ···remediation·AFTER·testing·on·a·non-production57 #»      ···remediation·AFTER·testing·on·a·non-production
58 #»      ···system!58 #»      ···system!
  
59 apt-get·remove·--purge·telnetd-ssl59 apt-get·remove·--purge·telnetd-ssl
60 #·END·fix·for·'package_telnetd-ssl_removed'60 #·END·fix·for·'package_telnetd-ssl_removed'
  
61 ###############################################################################61 ###############################################################################
62 #·BEGIN·fix·(4·/·16)·for·'package_telnetd_removed'62 #·BEGIN·fix·(4·/·16)·for·'package_inetutils-telnetd_removed'
63 ###############################################################################63 ###############################################################################
64 (>&2·echo·"Remediating·rule·4/16:·'package_telnetd_removed'")64 (>&2·echo·"Remediating·rule·4/16:·'package_inetutils-telnetd_removed'")
65 #·CAUTION:·This·remediation·script·will·remove·telnetd65 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
66 #»      ···from·the·system,·and·may·remove·any·packages66 #»      ···from·the·system,·and·may·remove·any·packages
67 #»      ···that·depend·on·telnetd.·Execute·this67 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
68 #»      ···remediation·AFTER·testing·on·a·non-production68 #»      ···remediation·AFTER·testing·on·a·non-production
69 #»      ···system!69 #»      ···system!
  
70 apt-get·remove·--purge·telnetd70 apt-get·remove·--purge·inetutils-telnetd
71 #·END·fix·for·'package_telnetd_removed'71 #·END·fix·for·'package_inetutils-telnetd_removed'
  
72 ###############################################################################72 ###############################################################################
73 #·BEGIN·fix·(5·/·16)·for·'apt_conf_disallow_unauthenticated'73 #·BEGIN·fix·(5·/·16)·for·'apt_conf_disallow_unauthenticated'
74 ###############################################################################74 ###############################################################################
75 (>&2·echo·"Remediating·rule·5/16:·'apt_conf_disallow_unauthenticated'")75 (>&2·echo·"Remediating·rule·5/16:·'apt_conf_disallow_unauthenticated'")
76 #·FIX·FOR·THIS·RULE·IS·MISSING76 #·FIX·FOR·THIS·RULE·IS·MISSING
77 #·END·fix·for·'apt_conf_disallow_unauthenticated'77 #·END·fix·for·'apt_conf_disallow_unauthenticated'
Offset 84, 26 lines modifiedOffset 84, 26 lines modified
84 #·BEGIN·fix·(6·/·16)·for·'apt_sources_list_official'84 #·BEGIN·fix·(6·/·16)·for·'apt_sources_list_official'
85 ###############################################################################85 ###############################################################################
86 (>&2·echo·"Remediating·rule·6/16:·'apt_sources_list_official'")86 (>&2·echo·"Remediating·rule·6/16:·'apt_sources_list_official'")
87 #·FIX·FOR·THIS·RULE·IS·MISSING87 #·FIX·FOR·THIS·RULE·IS·MISSING
88 #·END·fix·for·'apt_sources_list_official'88 #·END·fix·for·'apt_sources_list_official'
  
89 ###############################################################################89 ###############################################################################
90 #·BEGIN·fix·(7·/·16)·for·'package_syslogng_installed'90 #·BEGIN·fix·(7·/·16)·for·'service_syslogng_enabled'
91 ###############################################################################91 ###############################################################################
92 (>&2·echo·"Remediating·rule·7/16:·'package_syslogng_installed'")92 (>&2·echo·"Remediating·rule·7/16:·'service_syslogng_enabled'")
93 #·FIX·FOR·THIS·RULE·IS·MISSING93 #·FIX·FOR·THIS·RULE·IS·MISSING
94 #·END·fix·for·'package_syslogng_installed'94 #·END·fix·for·'service_syslogng_enabled'
  
95 ###############################################################################95 ###############################################################################
96 #·BEGIN·fix·(8·/·16)·for·'service_syslogng_enabled'96 #·BEGIN·fix·(8·/·16)·for·'package_syslogng_installed'
97 ###############################################################################97 ###############################################################################
98 (>&2·echo·"Remediating·rule·8/16:·'service_syslogng_enabled'")98 (>&2·echo·"Remediating·rule·8/16:·'package_syslogng_installed'")
99 #·FIX·FOR·THIS·RULE·IS·MISSING99 #·FIX·FOR·THIS·RULE·IS·MISSING
100 #·END·fix·for·'service_syslogng_enabled'100 #·END·fix·for·'package_syslogng_installed'
  
101 ###############################################################################101 ###############################################################################
102 #·BEGIN·fix·(9·/·16)·for·'service_rsyslog_enabled'102 #·BEGIN·fix·(9·/·16)·for·'service_rsyslog_enabled'
103 ###############################################################################103 ###############################################################################
104 (>&2·echo·"Remediating·rule·9/16:·'service_rsyslog_enabled'")104 (>&2·echo·"Remediating·rule·9/16:·'service_rsyslog_enabled'")
105 #·FIX·FOR·THIS·RULE·IS·MISSING105 #·FIX·FOR·THIS·RULE·IS·MISSING
106 #·END·fix·for·'service_rsyslog_enabled'106 #·END·fix·for·'service_rsyslog_enabled'
7.95 KB
./usr/share/scap-security-guide/bash/ssg-debian8-role-anssi_np_nt28_restrictive.sh
    
Offset 31, 25 lines modifiedOffset 31, 25 lines modified
31 #»      ···remediation·AFTER·testing·on·a·non-production31 #»      ···remediation·AFTER·testing·on·a·non-production
32 #»      ···system!32 #»      ···system!
  
33 apt-get·remove·--purge·nis33 apt-get·remove·--purge·nis
34 #·END·fix·for·'package_nis_removed'34 #·END·fix·for·'package_nis_removed'
  
35 ###############################################################################35 ###############################################################################
36 #·BEGIN·fix·(2·/·41)·for·'package_inetutils-telnetd_removed'36 #·BEGIN·fix·(2·/·41)·for·'package_telnetd_removed'
37 ###############################################################################37 ###############################################################################
38 (>&2·echo·"Remediating·rule·2/41:·'package_inetutils-telnetd_removed'")38 (>&2·echo·"Remediating·rule·2/41:·'package_telnetd_removed'")
39 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd39 #·CAUTION:·This·remediation·script·will·remove·telnetd
40 #»      ···from·the·system,·and·may·remove·any·packages40 #»      ···from·the·system,·and·may·remove·any·packages
41 #»      ···that·depend·on·inetutils-telnetd.·Execute·this41 #»      ···that·depend·on·telnetd.·Execute·this
42 #»      ···remediation·AFTER·testing·on·a·non-production42 #»      ···remediation·AFTER·testing·on·a·non-production
43 #»      ···system!43 #»      ···system!
  
44 apt-get·remove·--purge·inetutils-telnetd44 apt-get·remove·--purge·telnetd
45 #·END·fix·for·'package_inetutils-telnetd_removed'45 #·END·fix·for·'package_telnetd_removed'
  
46 ###############################################################################46 ###############################################################################
47 #·BEGIN·fix·(3·/·41)·for·'package_ntpdate_removed'47 #·BEGIN·fix·(3·/·41)·for·'package_ntpdate_removed'
48 ###############################################################################48 ###############################################################################
49 (>&2·echo·"Remediating·rule·3/41:·'package_ntpdate_removed'")49 (>&2·echo·"Remediating·rule·3/41:·'package_ntpdate_removed'")
50 #·CAUTION:·This·remediation·script·will·remove·ntpdate50 #·CAUTION:·This·remediation·script·will·remove·ntpdate
51 #»      ···from·the·system,·and·may·remove·any·packages51 #»      ···from·the·system,·and·may·remove·any·packages
Offset 70, 25 lines modifiedOffset 70, 25 lines modified
70 #»      ···remediation·AFTER·testing·on·a·non-production70 #»      ···remediation·AFTER·testing·on·a·non-production
71 #»      ···system!71 #»      ···system!
  
72 apt-get·remove·--purge·telnetd-ssl72 apt-get·remove·--purge·telnetd-ssl
73 #·END·fix·for·'package_telnetd-ssl_removed'73 #·END·fix·for·'package_telnetd-ssl_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(5·/·41)·for·'package_telnetd_removed'75 #·BEGIN·fix·(5·/·41)·for·'package_inetutils-telnetd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·5/41:·'package_telnetd_removed'")77 (>&2·echo·"Remediating·rule·5/41:·'package_inetutils-telnetd_removed'")
78 #·CAUTION:·This·remediation·script·will·remove·telnetd78 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
79 #»      ···from·the·system,·and·may·remove·any·packages79 #»      ···from·the·system,·and·may·remove·any·packages
80 #»      ···that·depend·on·telnetd.·Execute·this80 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
81 #»      ···remediation·AFTER·testing·on·a·non-production81 #»      ···remediation·AFTER·testing·on·a·non-production
82 #»      ···system!82 #»      ···system!
  
83 apt-get·remove·--purge·telnetd83 apt-get·remove·--purge·inetutils-telnetd
84 #·END·fix·for·'package_telnetd_removed'84 #·END·fix·for·'package_inetutils-telnetd_removed'
  
85 ###############################################################################85 ###############################################################################
86 #·BEGIN·fix·(6·/·41)·for·'package_ntp_installed'86 #·BEGIN·fix·(6·/·41)·for·'package_ntp_installed'
87 ###############################################################################87 ###############################################################################
88 (>&2·echo·"Remediating·rule·6/41:·'package_ntp_installed'")88 (>&2·echo·"Remediating·rule·6/41:·'package_ntp_installed'")
89 #·FIX·FOR·THIS·RULE·IS·MISSING89 #·FIX·FOR·THIS·RULE·IS·MISSING
90 #·END·fix·for·'package_ntp_installed'90 #·END·fix·for·'package_ntp_installed'
Offset 104, 54 lines modifiedOffset 104, 54 lines modified
104 #·BEGIN·fix·(8·/·41)·for·'package_auditd_installed'104 #·BEGIN·fix·(8·/·41)·for·'package_auditd_installed'
105 ###############################################################################105 ###############################################################################
106 (>&2·echo·"Remediating·rule·8/41:·'package_auditd_installed'")106 (>&2·echo·"Remediating·rule·8/41:·'package_auditd_installed'")
107 #·FIX·FOR·THIS·RULE·IS·MISSING107 #·FIX·FOR·THIS·RULE·IS·MISSING
108 #·END·fix·for·'package_auditd_installed'108 #·END·fix·for·'package_auditd_installed'
  
109 ###############################################################################109 ###############################################################################
110 #·BEGIN·fix·(9·/·41)·for·'service_auditd_enabled'110 #·BEGIN·fix·(9·/·41)·for·'service_ntp_enabled'
111 ###############################################################################111 ###############################################################################
112 (>&2·echo·"Remediating·rule·9/41:·'service_auditd_enabled'")112 (>&2·echo·"Remediating·rule·9/41:·'service_ntp_enabled'")
113 #·FIX·FOR·THIS·RULE·IS·MISSING113 #·FIX·FOR·THIS·RULE·IS·MISSING
114 #·END·fix·for·'service_auditd_enabled'114 #·END·fix·for·'service_ntp_enabled'
  
115 ###############################################################################115 ###############################################################################
116 #·BEGIN·fix·(10·/·41)·for·'service_ntp_enabled'116 #·BEGIN·fix·(10·/·41)·for·'service_auditd_enabled'
117 ###############################################################################117 ###############################################################################
118 (>&2·echo·"Remediating·rule·10/41:·'service_ntp_enabled'")118 (>&2·echo·"Remediating·rule·10/41:·'service_auditd_enabled'")
119 #·FIX·FOR·THIS·RULE·IS·MISSING119 #·FIX·FOR·THIS·RULE·IS·MISSING
120 #·END·fix·for·'service_ntp_enabled'120 #·END·fix·for·'service_auditd_enabled'
  
121 ###############################################################################121 ###############################################################################
122 #·BEGIN·fix·(11·/·41)·for·'sshd_allow_only_protocol2'122 #·BEGIN·fix·(11·/·41)·for·'sshd_allow_only_protocol2'
123 ###############################################################################123 ###############################################################################
124 (>&2·echo·"Remediating·rule·11/41:·'sshd_allow_only_protocol2'")124 (>&2·echo·"Remediating·rule·11/41:·'sshd_allow_only_protocol2'")
125 #·FIX·FOR·THIS·RULE·IS·MISSING125 #·FIX·FOR·THIS·RULE·IS·MISSING
126 #·END·fix·for·'sshd_allow_only_protocol2'126 #·END·fix·for·'sshd_allow_only_protocol2'
  
127 ###############################################################################127 ###############################################################################
128 #·BEGIN·fix·(12·/·41)·for·'sshd_disable_empty_passwords'128 #·BEGIN·fix·(12·/·41)·for·'sshd_set_keepalive'
129 ###############################################################################129 ###############################################################################
130 (>&2·echo·"Remediating·rule·12/41:·'sshd_disable_empty_passwords'")130 (>&2·echo·"Remediating·rule·12/41:·'sshd_set_keepalive'")
131 #·FIX·FOR·THIS·RULE·IS·MISSING131 #·FIX·FOR·THIS·RULE·IS·MISSING
132 #·END·fix·for·'sshd_disable_empty_passwords'132 #·END·fix·for·'sshd_set_keepalive'
  
133 ###############################################################################133 ###############################################################################
134 #·BEGIN·fix·(13·/·41)·for·'sshd_set_idle_timeout'134 #·BEGIN·fix·(13·/·41)·for·'sshd_set_idle_timeout'
135 ###############################################################################135 ###############################################################################
136 (>&2·echo·"Remediating·rule·13/41:·'sshd_set_idle_timeout'")136 (>&2·echo·"Remediating·rule·13/41:·'sshd_set_idle_timeout'")
137 #·FIX·FOR·THIS·RULE·IS·MISSING137 #·FIX·FOR·THIS·RULE·IS·MISSING
138 #·END·fix·for·'sshd_set_idle_timeout'138 #·END·fix·for·'sshd_set_idle_timeout'
  
139 ###############################################################################139 ###############################################################################
140 #·BEGIN·fix·(14·/·41)·for·'sshd_set_keepalive'140 #·BEGIN·fix·(14·/·41)·for·'sshd_disable_empty_passwords'
141 ###############################################################################141 ###############################################################################
142 (>&2·echo·"Remediating·rule·14/41:·'sshd_set_keepalive'")142 (>&2·echo·"Remediating·rule·14/41:·'sshd_disable_empty_passwords'")
143 #·FIX·FOR·THIS·RULE·IS·MISSING143 #·FIX·FOR·THIS·RULE·IS·MISSING
144 #·END·fix·for·'sshd_set_keepalive'144 #·END·fix·for·'sshd_disable_empty_passwords'
  
145 ###############################################################################145 ###############################################################################
146 #·BEGIN·fix·(15·/·41)·for·'sshd_disable_root_login'146 #·BEGIN·fix·(15·/·41)·for·'sshd_disable_root_login'
147 ###############################################################################147 ###############################################################################
148 (>&2·echo·"Remediating·rule·15/41:·'sshd_disable_root_login'")148 (>&2·echo·"Remediating·rule·15/41:·'sshd_disable_root_login'")
149 #·FIX·FOR·THIS·RULE·IS·MISSING149 #·FIX·FOR·THIS·RULE·IS·MISSING
150 #·END·fix·for·'sshd_disable_root_login'150 #·END·fix·for·'sshd_disable_root_login'
Offset 188, 26 lines modifiedOffset 188, 26 lines modified
188 #·BEGIN·fix·(20·/·41)·for·'rsyslog_files_groupownership'188 #·BEGIN·fix·(20·/·41)·for·'rsyslog_files_groupownership'
189 ###############################################################################189 ###############################################################################
190 (>&2·echo·"Remediating·rule·20/41:·'rsyslog_files_groupownership'")190 (>&2·echo·"Remediating·rule·20/41:·'rsyslog_files_groupownership'")
191 #·FIX·FOR·THIS·RULE·IS·MISSING191 #·FIX·FOR·THIS·RULE·IS·MISSING
192 #·END·fix·for·'rsyslog_files_groupownership'192 #·END·fix·for·'rsyslog_files_groupownership'
  
193 ###############################################################################193 ###############################################################################
194 #·BEGIN·fix·(21·/·41)·for·'package_syslogng_installed'194 #·BEGIN·fix·(21·/·41)·for·'service_syslogng_enabled'
195 ###############################################################################195 ###############################################################################
196 (>&2·echo·"Remediating·rule·21/41:·'package_syslogng_installed'")196 (>&2·echo·"Remediating·rule·21/41:·'service_syslogng_enabled'")
197 #·FIX·FOR·THIS·RULE·IS·MISSING197 #·FIX·FOR·THIS·RULE·IS·MISSING
198 #·END·fix·for·'package_syslogng_installed'198 #·END·fix·for·'service_syslogng_enabled'
  
199 ###############################################################################199 ###############################################################################
200 #·BEGIN·fix·(22·/·41)·for·'service_syslogng_enabled'200 #·BEGIN·fix·(22·/·41)·for·'package_syslogng_installed'
201 ###############################################################################201 ###############################################################################
202 (>&2·echo·"Remediating·rule·22/41:·'service_syslogng_enabled'")202 (>&2·echo·"Remediating·rule·22/41:·'package_syslogng_installed'")
203 #·FIX·FOR·THIS·RULE·IS·MISSING203 #·FIX·FOR·THIS·RULE·IS·MISSING
204 #·END·fix·for·'service_syslogng_enabled'204 #·END·fix·for·'package_syslogng_installed'
  
Max diff block lines reached; 280/7977 bytes (3.51%) of diff not shown.
6.24 KB
./usr/share/scap-security-guide/bash/ssg-debian8-role-standard.sh
    
Offset 33, 25 lines modifiedOffset 33, 25 lines modified
33 #»      ···remediation·AFTER·testing·on·a·non-production33 #»      ···remediation·AFTER·testing·on·a·non-production
34 #»      ···system!34 #»      ···system!
  
35 apt-get·remove·--purge·nis35 apt-get·remove·--purge·nis
36 #·END·fix·for·'package_nis_removed'36 #·END·fix·for·'package_nis_removed'
  
37 ###############################################################################37 ###############################################################################
38 #·BEGIN·fix·(2·/·36)·for·'package_inetutils-telnetd_removed'38 #·BEGIN·fix·(2·/·36)·for·'package_telnetd_removed'
39 ###############################################################################39 ###############################################################################
40 (>&2·echo·"Remediating·rule·2/36:·'package_inetutils-telnetd_removed'")40 (>&2·echo·"Remediating·rule·2/36:·'package_telnetd_removed'")
41 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd41 #·CAUTION:·This·remediation·script·will·remove·telnetd
42 #»      ···from·the·system,·and·may·remove·any·packages42 #»      ···from·the·system,·and·may·remove·any·packages
43 #»      ···that·depend·on·inetutils-telnetd.·Execute·this43 #»      ···that·depend·on·telnetd.·Execute·this
44 #»      ···remediation·AFTER·testing·on·a·non-production44 #»      ···remediation·AFTER·testing·on·a·non-production
45 #»      ···system!45 #»      ···system!
  
46 apt-get·remove·--purge·inetutils-telnetd46 apt-get·remove·--purge·telnetd
47 #·END·fix·for·'package_inetutils-telnetd_removed'47 #·END·fix·for·'package_telnetd_removed'
  
48 ###############################################################################48 ###############################################################################
49 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'49 #·BEGIN·fix·(3·/·36)·for·'package_ntpdate_removed'
50 ###############################################################################50 ###############################################################################
51 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")51 (>&2·echo·"Remediating·rule·3/36:·'package_ntpdate_removed'")
52 #·CAUTION:·This·remediation·script·will·remove·ntpdate52 #·CAUTION:·This·remediation·script·will·remove·ntpdate
53 #»      ···from·the·system,·and·may·remove·any·packages53 #»      ···from·the·system,·and·may·remove·any·packages
Offset 72, 25 lines modifiedOffset 72, 25 lines modified
72 #»      ···remediation·AFTER·testing·on·a·non-production72 #»      ···remediation·AFTER·testing·on·a·non-production
73 #»      ···system!73 #»      ···system!
  
74 apt-get·remove·--purge·telnetd-ssl74 apt-get·remove·--purge·telnetd-ssl
75 #·END·fix·for·'package_telnetd-ssl_removed'75 #·END·fix·for·'package_telnetd-ssl_removed'
  
76 ###############################################################################76 ###############################################################################
77 #·BEGIN·fix·(5·/·36)·for·'package_telnetd_removed'77 #·BEGIN·fix·(5·/·36)·for·'package_inetutils-telnetd_removed'
78 ###############################################################################78 ###############################################################################
79 (>&2·echo·"Remediating·rule·5/36:·'package_telnetd_removed'")79 (>&2·echo·"Remediating·rule·5/36:·'package_inetutils-telnetd_removed'")
80 #·CAUTION:·This·remediation·script·will·remove·telnetd80 #·CAUTION:·This·remediation·script·will·remove·inetutils-telnetd
81 #»      ···from·the·system,·and·may·remove·any·packages81 #»      ···from·the·system,·and·may·remove·any·packages
82 #»      ···that·depend·on·telnetd.·Execute·this82 #»      ···that·depend·on·inetutils-telnetd.·Execute·this
83 #»      ···remediation·AFTER·testing·on·a·non-production83 #»      ···remediation·AFTER·testing·on·a·non-production
84 #»      ···system!84 #»      ···system!
  
85 apt-get·remove·--purge·telnetd85 apt-get·remove·--purge·inetutils-telnetd
86 #·END·fix·for·'package_telnetd_removed'86 #·END·fix·for·'package_inetutils-telnetd_removed'
  
87 ###############################################################################87 ###############################################################################
88 #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled'88 #·BEGIN·fix·(6·/·36)·for·'service_cron_enabled'
89 ###############################################################################89 ###############################################################################
90 (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'")90 (>&2·echo·"Remediating·rule·6/36:·'service_cron_enabled'")
91 #·FIX·FOR·THIS·RULE·IS·MISSING91 #·FIX·FOR·THIS·RULE·IS·MISSING
92 #·END·fix·for·'service_cron_enabled'92 #·END·fix·for·'service_cron_enabled'
Offset 113, 54 lines modifiedOffset 113, 54 lines modified
113 #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed'113 #·BEGIN·fix·(9·/·36)·for·'package_auditd_installed'
114 ###############################################################################114 ###############################################################################
115 (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'")115 (>&2·echo·"Remediating·rule·9/36:·'package_auditd_installed'")
116 #·FIX·FOR·THIS·RULE·IS·MISSING116 #·FIX·FOR·THIS·RULE·IS·MISSING
117 #·END·fix·for·'package_auditd_installed'117 #·END·fix·for·'package_auditd_installed'
  
118 ###############################################################################118 ###############################################################################
119 #·BEGIN·fix·(10·/·36)·for·'service_auditd_enabled'119 #·BEGIN·fix·(10·/·36)·for·'service_ntp_enabled'
120 ###############################################################################120 ###############################################################################
121 (>&2·echo·"Remediating·rule·10/36:·'service_auditd_enabled'")121 (>&2·echo·"Remediating·rule·10/36:·'service_ntp_enabled'")
122 #·FIX·FOR·THIS·RULE·IS·MISSING122 #·FIX·FOR·THIS·RULE·IS·MISSING
123 #·END·fix·for·'service_auditd_enabled'123 #·END·fix·for·'service_ntp_enabled'
  
124 ###############################################################################124 ###############################################################################
125 #·BEGIN·fix·(11·/·36)·for·'service_ntp_enabled'125 #·BEGIN·fix·(11·/·36)·for·'service_auditd_enabled'
126 ###############################################################################126 ###############################################################################
127 (>&2·echo·"Remediating·rule·11/36:·'service_ntp_enabled'")127 (>&2·echo·"Remediating·rule·11/36:·'service_auditd_enabled'")
128 #·FIX·FOR·THIS·RULE·IS·MISSING128 #·FIX·FOR·THIS·RULE·IS·MISSING
129 #·END·fix·for·'service_ntp_enabled'129 #·END·fix·for·'service_auditd_enabled'
  
130 ###############################################################################130 ###############################################################################
131 #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2'131 #·BEGIN·fix·(12·/·36)·for·'sshd_allow_only_protocol2'
132 ###############################################################################132 ###############################################################################
133 (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'")133 (>&2·echo·"Remediating·rule·12/36:·'sshd_allow_only_protocol2'")
134 #·FIX·FOR·THIS·RULE·IS·MISSING134 #·FIX·FOR·THIS·RULE·IS·MISSING
135 #·END·fix·for·'sshd_allow_only_protocol2'135 #·END·fix·for·'sshd_allow_only_protocol2'
  
136 ###############################################################################136 ###############################################################################
137 #·BEGIN·fix·(13·/·36)·for·'sshd_disable_empty_passwords'137 #·BEGIN·fix·(13·/·36)·for·'sshd_set_keepalive'
138 ###############################################################################138 ###############################################################################
139 (>&2·echo·"Remediating·rule·13/36:·'sshd_disable_empty_passwords'")139 (>&2·echo·"Remediating·rule·13/36:·'sshd_set_keepalive'")
140 #·FIX·FOR·THIS·RULE·IS·MISSING140 #·FIX·FOR·THIS·RULE·IS·MISSING
141 #·END·fix·for·'sshd_disable_empty_passwords'141 #·END·fix·for·'sshd_set_keepalive'
  
142 ###############################################################################142 ###############################################################################
143 #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout'143 #·BEGIN·fix·(14·/·36)·for·'sshd_set_idle_timeout'
144 ###############################################################################144 ###############################################################################
145 (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'")145 (>&2·echo·"Remediating·rule·14/36:·'sshd_set_idle_timeout'")
146 #·FIX·FOR·THIS·RULE·IS·MISSING146 #·FIX·FOR·THIS·RULE·IS·MISSING
147 #·END·fix·for·'sshd_set_idle_timeout'147 #·END·fix·for·'sshd_set_idle_timeout'
  
148 ###############################################################################148 ###############################################################################
149 #·BEGIN·fix·(15·/·36)·for·'sshd_set_keepalive'149 #·BEGIN·fix·(15·/·36)·for·'sshd_disable_empty_passwords'
150 ###############################################################################150 ###############################################################################
151 (>&2·echo·"Remediating·rule·15/36:·'sshd_set_keepalive'")151 (>&2·echo·"Remediating·rule·15/36:·'sshd_disable_empty_passwords'")
152 #·FIX·FOR·THIS·RULE·IS·MISSING152 #·FIX·FOR·THIS·RULE·IS·MISSING
153 #·END·fix·for·'sshd_set_keepalive'153 #·END·fix·for·'sshd_disable_empty_passwords'
  
154 ###############################################################################154 ###############################################################################
155 #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login'155 #·BEGIN·fix·(16·/·36)·for·'sshd_disable_root_login'
156 ###############################################################################156 ###############################################################################
157 (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'")157 (>&2·echo·"Remediating·rule·16/36:·'sshd_disable_root_login'")
158 #·FIX·FOR·THIS·RULE·IS·MISSING158 #·FIX·FOR·THIS·RULE·IS·MISSING
159 #·END·fix·for·'sshd_disable_root_login'159 #·END·fix·for·'sshd_disable_root_login'
1.75 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-cpe-oval.xml
1.64 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-cpe-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:29:16</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_debian8:def:1"·version="3">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_debian8:def:1"·version="3">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Debian·8</ns0:title>12 ········<ns0:title>Debian·8</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:platform>Debian·8</ns0:platform>14 ··········<ns0:platform>Debian·8</ns0:platform>
154 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-ds.xml
154 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-ds.xml
    
Offset 18, 21 lines modifiedOffset 18, 21 lines modified
18 ····</ds:checklists>18 ····</ds:checklists>
19 ····<ds:checks>19 ····<ds:checks>
20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-oval.xml"/>20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-oval.xml"/>
21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-ocil.xml"/>21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-ocil.xml"/>
22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-cpe-oval.xml"/>22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-debian8-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-debian8-cpe-oval.xml"/>
23 ····</ds:checks>23 ····</ds:checks>
24 ··</ds:data-stream>24 ··</ds:data-stream>
25 ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-oval.xml"·timestamp="2020-07-11T15:39:15">25 ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-oval.xml"·timestamp="2020-07-12T18:46:42">
26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
27 ······<ns0:generator>27 ······<ns0:generator>
28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
30 ········<ns2:schema_version>5.11</ns2:schema_version>30 ········<ns2:schema_version>5.11</ns2:schema_version>
31 ········<ns2:timestamp>2020-07-12T03:29:16</ns2:timestamp>31 ········<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp>
32 ······</ns0:generator>32 ······</ns0:generator>
33 ······<ns0:definitions>33 ······<ns0:definitions>
34 ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1">34 ········<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1">
35 ··········<ns0:metadata>35 ··········<ns0:metadata>
36 ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title>36 ············<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title>
37 ············<ns0:affected·family="unix">37 ············<ns0:affected·family="unix">
38 ··············<ns0:platform>Debian·8</ns0:platform>38 ··············<ns0:platform>Debian·8</ns0:platform>
Offset 5573, 57 lines modifiedOffset 5573, 57 lines modified
5573 ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/>5573 ········<ns0:external_variable·comment="used·for·remediation·only"·datatype="string"·id="oval:ssg-rsyslog_remote_loghost_address:var:1"·version="1"/>
5574 ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/>5574 ········<ns0:external_variable·comment="May·be·defined·by·Profiles·to·explicitly·say·if·sshd·is·required·or·not"·datatype="int"·id="oval:ssg-sshd_required:var:1"·version="1"/>
5575 ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/>5575 ········<ns0:external_variable·comment="timeout·value"·datatype="int"·id="oval:ssg-sshd_idle_timeout_value:var:1"·version="1"/>
5576 ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/>5576 ········<ns0:external_variable·comment="maxauthtries·value"·datatype="int"·id="oval:ssg-sshd_max_auth_tries_value:var:1"·version="1"/>
5577 ······</ns0:variables>5577 ······</ns0:variables>
5578 ····</ns0:oval_definitions>5578 ····</ns0:oval_definitions>
5579 ··</ds:component>5579 ··</ds:component>
5580 ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-ocil.xml"·timestamp="2020-07-11T15:39:14">5580 ··<ds:component·id="scap_org.open-scap_comp_ssg-debian8-ocil.xml"·timestamp="2020-07-12T18:46:40">
5581 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">5581 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">
5582 ······<ns0:generator>5582 ······<ns0:generator>
5583 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>5583 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
5584 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>5584 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>
5585 ········<ns0:schema_version>2.0</ns0:schema_version>5585 ········<ns0:schema_version>2.0</ns0:schema_version>
5586 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>5586 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
5587 ······</ns0:generator>5587 ······</ns0:generator>
5588 ······<ns0:questionnaires>5588 ······<ns0:questionnaires>
5589 ········<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> 
5590 ··········<ns0:title>Enable·the·auditd·service</ns0:title> 
5591 ··········<ns0:actions> 
5592 ············<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> 
5593 ··········</ns0:actions> 
5594 ········</ns0:questionnaire> 
5595 ········<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1">5589 ········<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1">
5596 ··········<ns0:title>Enable·the·ntpd·service</ns0:title>5590 ··········<ns0:title>Enable·the·ntpd·service</ns0:title>
5597 ··········<ns0:actions>5591 ··········<ns0:actions>
5598 ············<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref>5592 ············<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref>
5599 ··········</ns0:actions>5593 ··········</ns0:actions>
5600 ········</ns0:questionnaire>5594 ········</ns0:questionnaire>
 5595 ········<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1">
 5596 ··········<ns0:title>Enable·the·auditd·service</ns0:title>
 5597 ··········<ns0:actions>
 5598 ············<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref>
 5599 ··········</ns0:actions>
 5600 ········</ns0:questionnaire>
5601 ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">5601 ········<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">
5602 ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>5602 ··········<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>
5603 ··········<ns0:actions>5603 ··········<ns0:actions>
5604 ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>5604 ············<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>
5605 ··········</ns0:actions>5605 ··········</ns0:actions>
5606 ········</ns0:questionnaire>5606 ········</ns0:questionnaire>
5607 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">5607 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">
5608 ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>5608 ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>
5609 ··········<ns0:actions>5609 ··········<ns0:actions>
5610 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>5610 ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>
5611 ··········</ns0:actions>5611 ··········</ns0:actions>
5612 ········</ns0:questionnaire>5612 ········</ns0:questionnaire>
5613 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">5613 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
5614 ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>5614 ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>
5615 ··········<ns0:actions>5615 ··········<ns0:actions>
5616 ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>5616 ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>
5617 ··········</ns0:actions>5617 ··········</ns0:actions>
5618 ········</ns0:questionnaire>5618 ········</ns0:questionnaire>
5619 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">5619 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">
5620 ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>5620 ··········<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>
5621 ··········<ns0:actions>5621 ··········<ns0:actions>
5622 ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>5622 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>
5623 ··········</ns0:actions>5623 ··········</ns0:actions>
5624 ········</ns0:questionnaire>5624 ········</ns0:questionnaire>
5625 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">5625 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">
5626 ··········<ns0:title>Disable·SSH·Root·Login</ns0:title>5626 ··········<ns0:title>Disable·SSH·Root·Login</ns0:title>
5627 ··········<ns0:actions>5627 ··········<ns0:actions>
5628 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>5628 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>
5629 ··········</ns0:actions>5629 ··········</ns0:actions>
Offset 5648, 26 lines modifiedOffset 5648, 26 lines modified
5648 ········</ns0:questionnaire>5648 ········</ns0:questionnaire>
5649 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">5649 ········<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
5650 ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>5650 ··········<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>
5651 ··········<ns0:actions>5651 ··········<ns0:actions>
5652 ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>5652 ············<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>
5653 ··········</ns0:actions>5653 ··········</ns0:actions>
5654 ········</ns0:questionnaire>5654 ········</ns0:questionnaire>
5655 ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> 
5656 ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> 
5657 ··········<ns0:actions> 
5658 ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> 
5659 ··········</ns0:actions> 
5660 ········</ns0:questionnaire> 
5661 ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">5655 ········<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">
5662 ··········<ns0:title>Enable·syslog-ng·Service</ns0:title>5656 ··········<ns0:title>Enable·syslog-ng·Service</ns0:title>
5663 ··········<ns0:actions>5657 ··········<ns0:actions>
5664 ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>5658 ············<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>
5665 ··········</ns0:actions>5659 ··········</ns0:actions>
5666 ········</ns0:questionnaire>5660 ········</ns0:questionnaire>
 5661 ········<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1">
 5662 ··········<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title>
 5663 ··········<ns0:actions>
 5664 ············<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref>
 5665 ··········</ns0:actions>
 5666 ········</ns0:questionnaire>
5667 ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">5667 ········<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">
5668 ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>5668 ··········<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>
5669 ··········<ns0:actions>5669 ··········<ns0:actions>
5670 ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>5670 ············<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>
5671 ··········</ns0:actions>5671 ··········</ns0:actions>
5672 ········</ns0:questionnaire>5672 ········</ns0:questionnaire>
5673 ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">5673 ········<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">
Offset 5788, 23 lines modifiedOffset 5788, 23 lines modified
5788 ··········<ns0:title>Enable·Randomized·Layout·of·Virtual·Address·Space</ns0:title>5788 ··········<ns0:title>Enable·Randomized·Layout·of·Virtual·Address·Space</ns0:title>
5789 ··········<ns0:actions>5789 ··········<ns0:actions>
5790 ············<ns0:test_action_ref>ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1</ns0:test_action_ref>5790 ············<ns0:test_action_ref>ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1</ns0:test_action_ref>
5791 ··········</ns0:actions>5791 ··········</ns0:actions>
5792 ········</ns0:questionnaire>5792 ········</ns0:questionnaire>
5793 ······</ns0:questionnaires>5793 ······</ns0:questionnaires>
5794 ······<ns0:test_actions>5794 ······<ns0:test_actions>
5795 ········<ns0:boolean_question_test_action·id="ocil:ssg-service_auditd_enabled_action:testaction:1"·question_ref="ocil:ssg-service_auditd_enabled_question:question:1">5795 ········<ns0:boolean_question_test_action·id="ocil:ssg-service_ntp_enabled_action:testaction:1"·question_ref="ocil:ssg-service_ntp_enabled_question:question:1">
Max diff block lines reached; 147757/157210 bytes (93.99%) of diff not shown.
15.5 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-ocil.xml
15.4 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-ocil.xml
    
Offset 3, 48 lines modifiedOffset 3, 48 lines modified
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>
6 ····<ns0:schema_version>2.0</ns0:schema_version>6 ····<ns0:schema_version>2.0</ns0:schema_version>
7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:questionnaires>9 ··<ns0:questionnaires>
10 ····<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"> 
11 ······<ns0:title>Enable·the·auditd·service</ns0:title> 
12 ······<ns0:actions> 
13 ········<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref> 
14 ······</ns0:actions> 
15 ····</ns0:questionnaire> 
16 ····<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1">10 ····<ns0:questionnaire·id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1">
17 ······<ns0:title>Enable·the·ntpd·service</ns0:title>11 ······<ns0:title>Enable·the·ntpd·service</ns0:title>
18 ······<ns0:actions>12 ······<ns0:actions>
19 ········<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref>13 ········<ns0:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ns0:test_action_ref>
20 ······</ns0:actions>14 ······</ns0:actions>
21 ····</ns0:questionnaire>15 ····</ns0:questionnaire>
 16 ····<ns0:questionnaire·id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1">
 17 ······<ns0:title>Enable·the·auditd·service</ns0:title>
 18 ······<ns0:actions>
 19 ········<ns0:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ns0:test_action_ref>
 20 ······</ns0:actions>
 21 ····</ns0:questionnaire>
22 ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">22 ····<ns0:questionnaire·id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">
23 ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>23 ······<ns0:title>Allow·Only·SSH·Protocol·2</ns0:title>
24 ······<ns0:actions>24 ······<ns0:actions>
25 ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>25 ········<ns0:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ns0:test_action_ref>
26 ······</ns0:actions>26 ······</ns0:actions>
27 ····</ns0:questionnaire>27 ····</ns0:questionnaire>
28 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">28 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">
29 ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>29 ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>
30 ······<ns0:actions>30 ······<ns0:actions>
31 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>31 ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>
32 ······</ns0:actions>32 ······</ns0:actions>
33 ····</ns0:questionnaire>33 ····</ns0:questionnaire>
34 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">34 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
35 ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>35 ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>
36 ······<ns0:actions>36 ······<ns0:actions>
37 ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>37 ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>
38 ······</ns0:actions>38 ······</ns0:actions>
39 ····</ns0:questionnaire>39 ····</ns0:questionnaire>
40 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">40 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">
41 ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>41 ······<ns0:title>Disable·SSH·Access·via·Empty·Passwords</ns0:title>
42 ······<ns0:actions>42 ······<ns0:actions>
43 ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>43 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ns0:test_action_ref>
44 ······</ns0:actions>44 ······</ns0:actions>
45 ····</ns0:questionnaire>45 ····</ns0:questionnaire>
46 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">46 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">
47 ······<ns0:title>Disable·SSH·Root·Login</ns0:title>47 ······<ns0:title>Disable·SSH·Root·Login</ns0:title>
48 ······<ns0:actions>48 ······<ns0:actions>
49 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>49 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ns0:test_action_ref>
50 ······</ns0:actions>50 ······</ns0:actions>
Offset 69, 26 lines modifiedOffset 69, 26 lines modified
69 ····</ns0:questionnaire>69 ····</ns0:questionnaire>
70 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">70 ····<ns0:questionnaire·id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
71 ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>71 ······<ns0:title>Ensure·Log·Files·Are·Owned·By·Appropriate·Group</ns0:title>
72 ······<ns0:actions>72 ······<ns0:actions>
73 ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>73 ········<ns0:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ns0:test_action_ref>
74 ······</ns0:actions>74 ······</ns0:actions>
75 ····</ns0:questionnaire>75 ····</ns0:questionnaire>
76 ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"> 
77 ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title> 
78 ······<ns0:actions> 
79 ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref> 
80 ······</ns0:actions> 
81 ····</ns0:questionnaire> 
82 ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">76 ····<ns0:questionnaire·id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">
83 ······<ns0:title>Enable·syslog-ng·Service</ns0:title>77 ······<ns0:title>Enable·syslog-ng·Service</ns0:title>
84 ······<ns0:actions>78 ······<ns0:actions>
85 ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>79 ········<ns0:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ns0:test_action_ref>
86 ······</ns0:actions>80 ······</ns0:actions>
87 ····</ns0:questionnaire>81 ····</ns0:questionnaire>
 82 ····<ns0:questionnaire·id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1">
 83 ······<ns0:title>Ensure·syslog-ng·is·Installed</ns0:title>
 84 ······<ns0:actions>
 85 ········<ns0:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ns0:test_action_ref>
 86 ······</ns0:actions>
 87 ····</ns0:questionnaire>
88 ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">88 ····<ns0:questionnaire·id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">
89 ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>89 ······<ns0:title>Ensure·Logrotate·Runs·Periodically</ns0:title>
90 ······<ns0:actions>90 ······<ns0:actions>
91 ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>91 ········<ns0:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ns0:test_action_ref>
92 ······</ns0:actions>92 ······</ns0:actions>
93 ····</ns0:questionnaire>93 ····</ns0:questionnaire>
94 ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">94 ····<ns0:questionnaire·id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">
Offset 209, 23 lines modifiedOffset 209, 23 lines modified
209 ······<ns0:title>Enable·Randomized·Layout·of·Virtual·Address·Space</ns0:title>209 ······<ns0:title>Enable·Randomized·Layout·of·Virtual·Address·Space</ns0:title>
210 ······<ns0:actions>210 ······<ns0:actions>
211 ········<ns0:test_action_ref>ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1</ns0:test_action_ref>211 ········<ns0:test_action_ref>ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1</ns0:test_action_ref>
212 ······</ns0:actions>212 ······</ns0:actions>
213 ····</ns0:questionnaire>213 ····</ns0:questionnaire>
214 ··</ns0:questionnaires>214 ··</ns0:questionnaires>
215 ··<ns0:test_actions>215 ··<ns0:test_actions>
216 ····<ns0:boolean_question_test_action·id="ocil:ssg-service_auditd_enabled_action:testaction:1"·question_ref="ocil:ssg-service_auditd_enabled_question:question:1">216 ····<ns0:boolean_question_test_action·id="ocil:ssg-service_ntp_enabled_action:testaction:1"·question_ref="ocil:ssg-service_ntp_enabled_question:question:1">
217 ······<ns0:when_true>217 ······<ns0:when_true>
218 ········<ns0:result>PASS</ns0:result>218 ········<ns0:result>PASS</ns0:result>
219 ······</ns0:when_true>219 ······</ns0:when_true>
220 ······<ns0:when_false>220 ······<ns0:when_false>
221 ········<ns0:result>FAIL</ns0:result>221 ········<ns0:result>FAIL</ns0:result>
222 ······</ns0:when_false>222 ······</ns0:when_false>
223 ····</ns0:boolean_question_test_action>223 ····</ns0:boolean_question_test_action>
224 ····<ns0:boolean_question_test_action·id="ocil:ssg-service_ntp_enabled_action:testaction:1"·question_ref="ocil:ssg-service_ntp_enabled_question:question:1">224 ····<ns0:boolean_question_test_action·id="ocil:ssg-service_auditd_enabled_action:testaction:1"·question_ref="ocil:ssg-service_auditd_enabled_question:question:1">
225 ······<ns0:when_true>225 ······<ns0:when_true>
226 ········<ns0:result>PASS</ns0:result>226 ········<ns0:result>PASS</ns0:result>
227 ······</ns0:when_true>227 ······</ns0:when_true>
228 ······<ns0:when_false>228 ······<ns0:when_false>
229 ········<ns0:result>FAIL</ns0:result>229 ········<ns0:result>FAIL</ns0:result>
230 ······</ns0:when_false>230 ······</ns0:when_false>
231 ····</ns0:boolean_question_test_action>231 ····</ns0:boolean_question_test_action>
Offset 233, 15 lines modifiedOffset 233, 15 lines modified
233 ······<ns0:when_true>233 ······<ns0:when_true>
234 ········<ns0:result>PASS</ns0:result>234 ········<ns0:result>PASS</ns0:result>
235 ······</ns0:when_true>235 ······</ns0:when_true>
236 ······<ns0:when_false>236 ······<ns0:when_false>
237 ········<ns0:result>FAIL</ns0:result>237 ········<ns0:result>FAIL</ns0:result>
238 ······</ns0:when_false>238 ······</ns0:when_false>
239 ····</ns0:boolean_question_test_action>239 ····</ns0:boolean_question_test_action>
240 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_disable_empty_passwords_action:testaction:1"·question_ref="ocil:ssg-sshd_disable_empty_passwords_question:question:1">240 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_set_keepalive_action:testaction:1"·question_ref="ocil:ssg-sshd_set_keepalive_question:question:1">
241 ······<ns0:when_true>241 ······<ns0:when_true>
242 ········<ns0:result>PASS</ns0:result>242 ········<ns0:result>PASS</ns0:result>
243 ······</ns0:when_true>243 ······</ns0:when_true>
244 ······<ns0:when_false>244 ······<ns0:when_false>
245 ········<ns0:result>FAIL</ns0:result>245 ········<ns0:result>FAIL</ns0:result>
246 ······</ns0:when_false>246 ······</ns0:when_false>
247 ····</ns0:boolean_question_test_action>247 ····</ns0:boolean_question_test_action>
Max diff block lines reached; 8374/15683 bytes (53.40%) of diff not shown.
1.79 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-oval.xml
1.68 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:29:16</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:17:30</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1">10 ····<ns0:definition·class="compliance"·id="oval:ssg-file_permissions_systemmap:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title>12 ········<ns0:title>Verify·that·System.map·files·are·readable·only·by·root</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:platform>Debian·8</ns0:platform>14 ··········<ns0:platform>Debian·8</ns0:platform>
126 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-xccdf.xml
126 KB
./usr/share/xml/scap/ssg/content/ssg-debian8-xccdf.xml
    
Offset 160, 67 lines modifiedOffset 160, 14 lines modified
160 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>160 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>
161 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>161 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>
163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>
164 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>164 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
165 ··</metadata>165 ··</metadata>
166 ··<model·system="urn:xccdf:scoring:default"/>166 ··<model·system="urn:xccdf:scoring:default"/>
167 ··<Profile·id="anssi_np_nt28_restrictive"> 
168 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title> 
169 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description> 
170 ····<select·idref="sudo_remove_nopasswd"·selected="true"/> 
171 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/> 
172 ····<select·idref="package_telnetd_removed"·selected="true"/> 
173 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/> 
174 ····<select·idref="package_telnetd-ssl_removed"·selected="true"/> 
175 ····<select·idref="package_nis_removed"·selected="true"/> 
176 ····<select·idref="package_rsyslog_installed"·selected="true"/> 
177 ····<select·idref="service_rsyslog_enabled"·selected="true"/> 
178 ····<select·idref="package_syslogng_installed"·selected="true"/> 
179 ····<select·idref="service_syslogng_enabled"·selected="true"/> 
180 ····<select·idref="apt_conf_disallow_unauthenticated"·selected="true"/> 
181 ····<select·idref="apt_sources_list_official"·selected="true"/> 
182 ····<select·idref="file_permissions_etc_shadow"·selected="true"/> 
183 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> 
184 ····<select·idref="file_permissions_etc_passwd"·selected="true"/> 
185 ····<select·idref="file_permissions_etc_group"·selected="true"/> 
186 ····<select·idref="package_ntp_installed"·selected="true"/> 
187 ····<select·idref="package_ntpdate_removed"·selected="true"/> 
188 ····<select·idref="sshd_set_idle_timeout"·selected="true"/> 
189 ····<select·idref="sshd_disable_root_login"·selected="true"/> 
190 ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> 
191 ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> 
192 ····<select·idref="sshd_set_keepalive"·selected="true"/> 
193 ····<select·idref="rsyslog_files_ownership"·selected="true"/> 
194 ····<select·idref="rsyslog_files_groupownership"·selected="true"/> 
195 ····<select·idref="rsyslog_files_permissions"·selected="true"/> 
196 ····<select·idref="rsyslog_remote_loghost"·selected="false"/> 
197 ····<select·idref="ensure_logrotate_activated"·selected="true"/> 
198 ····<select·idref="file_permissions_systemmap"·selected="true"/> 
199 ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/> 
200 ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/> 
201 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> 
202 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> 
203 ····<select·idref="partition_for_tmp"·selected="true"/> 
204 ····<select·idref="partition_for_var"·selected="true"/> 
205 ····<select·idref="partition_for_var_log"·selected="true"/> 
206 ····<select·idref="partition_for_var_log_audit"·selected="true"/> 
207 ····<select·idref="partition_for_home"·selected="true"/> 
208 ····<select·idref="package_auditd_installed"·selected="true"/> 
209 ····<select·idref="package_cron_installed"·selected="true"/> 
210 ····<select·idref="service_auditd_enabled"·selected="true"/> 
211 ····<select·idref="service_ntp_enabled"·selected="true"/> 
212 ····<select·idref="remediation_functions"·selected="false"/> 
213 ····<select·idref="software"·selected="false"/> 
214 ····<select·idref="rsyslog_sending_messages"·selected="false"/> 
215 ····<select·idref="accounts"·selected="false"/> 
216 ····<select·idref="accounts-restrictions"·selected="false"/> 
217 ····<select·idref="hw-install"·selected="false"/> 
218 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/> 
219 ··</Profile> 
220 ··<Profile·id="anssi_np_nt28_average">167 ··<Profile·id="anssi_np_nt28_average">
221 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title>168 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Average·(Intermediate)·Level</title>
222 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description>169 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·already·protected·by·multiple·higher·level·security·stacks.</description>
223 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>170 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>
224 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>171 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>
225 ····<select·idref="package_telnetd_removed"·selected="true"/>172 ····<select·idref="package_telnetd_removed"·selected="true"/>
226 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>173 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>
Offset 255, 24 lines modifiedOffset 202, 24 lines modified
255 ····<select·idref="ensure_logrotate_activated"·selected="true"/>202 ····<select·idref="ensure_logrotate_activated"·selected="true"/>
256 ····<select·idref="file_permissions_systemmap"·selected="true"/>203 ····<select·idref="file_permissions_systemmap"·selected="true"/>
257 ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/>204 ····<select·idref="sysctl_fs_protected_symlinks"·selected="true"/>
258 ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/>205 ····<select·idref="sysctl_fs_protected_hardlinks"·selected="true"/>
259 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/>206 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/>
260 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/>207 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/>
261 ····<select·idref="remediation_functions"·selected="false"/>208 ····<select·idref="remediation_functions"·selected="false"/>
262 ····<select·idref="software"·selected="false"/> 
263 ····<select·idref="rsyslog_sending_messages"·selected="false"/>209 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
264 ····<select·idref="accounts"·selected="false"/>210 ····<select·idref="accounts"·selected="false"/>
265 ····<select·idref="accounts-restrictions"·selected="false"/>211 ····<select·idref="accounts-restrictions"·selected="false"/>
266 ····<select·idref="hw-install"·selected="false"/>212 ····<select·idref="hw-install"·selected="false"/>
 213 ····<select·idref="software"·selected="false"/>
267 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>214 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>
268 ··</Profile>215 ··</Profile>
269 ··<Profile·id="anssi_np_nt28_high">216 ··<Profile·id="anssi_np_nt28_restrictive">
270 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·High·(Enforced)·Level</title>217 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Restrictive·Level</title>
271 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·storing·sensitive·informations·that·can·be·accessible·from·unauthenticated·or·uncontroled·networks.</description>218 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·for·GNU/Linux·installations·exposed·to·unauthenticated·flows·or·multiple·sources.</description>
272 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>219 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>
273 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>220 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>
274 ····<select·idref="package_telnetd_removed"·selected="true"/>221 ····<select·idref="package_telnetd_removed"·selected="true"/>
275 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>222 ····<select·idref="package_inetutils-telnetd_removed"·selected="true"/>
276 ····<select·idref="package_telnetd-ssl_removed"·selected="true"/>223 ····<select·idref="package_telnetd-ssl_removed"·selected="true"/>
277 ····<select·idref="package_nis_removed"·selected="true"/>224 ····<select·idref="package_nis_removed"·selected="true"/>
278 ····<select·idref="package_rsyslog_installed"·selected="true"/>225 ····<select·idref="package_rsyslog_installed"·selected="true"/>
Offset 307, 20 lines modifiedOffset 254, 20 lines modified
307 ····<select·idref="partition_for_var_log"·selected="true"/>254 ····<select·idref="partition_for_var_log"·selected="true"/>
308 ····<select·idref="partition_for_var_log_audit"·selected="true"/>255 ····<select·idref="partition_for_var_log_audit"·selected="true"/>
309 ····<select·idref="partition_for_home"·selected="true"/>256 ····<select·idref="partition_for_home"·selected="true"/>
310 ····<select·idref="package_auditd_installed"·selected="true"/>257 ····<select·idref="package_auditd_installed"·selected="true"/>
311 ····<select·idref="package_cron_installed"·selected="true"/>258 ····<select·idref="package_cron_installed"·selected="true"/>
312 ····<select·idref="service_auditd_enabled"·selected="true"/>259 ····<select·idref="service_auditd_enabled"·selected="true"/>
313 ····<select·idref="service_ntp_enabled"·selected="true"/>260 ····<select·idref="service_ntp_enabled"·selected="true"/>
314 ····<select·idref="grub2_enable_iommu_force"·selected="true"/> 
315 ····<select·idref="remediation_functions"·selected="false"/>261 ····<select·idref="remediation_functions"·selected="false"/>
316 ····<select·idref="software"·selected="false"/> 
317 ····<select·idref="rsyslog_sending_messages"·selected="false"/>262 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
318 ····<select·idref="accounts"·selected="false"/>263 ····<select·idref="accounts"·selected="false"/>
319 ····<select·idref="accounts-restrictions"·selected="false"/>264 ····<select·idref="accounts-restrictions"·selected="false"/>
 265 ····<select·idref="hw-install"·selected="false"/>
 266 ····<select·idref="software"·selected="false"/>
320 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>267 ····<refine-value·idref="sshd_idle_timeout_value"·selector="5_minutes"/>
321 ··</Profile>268 ··</Profile>
322 ··<Profile·id="anssi_np_nt28_minimal">269 ··<Profile·id="anssi_np_nt28_minimal">
323 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title>270 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Profile·for·ANSSI·DAT-NT28·Minimal·Level</title>
324 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description>271 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·contains·items·to·be·applied·systematically.</description>
325 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>272 ····<select·idref="sudo_remove_nopasswd"·selected="true"/>
326 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>273 ····<select·idref="sudo_remove_no_authenticate"·selected="true"/>
Offset 338, 28 lines modifiedOffset 285, 81 lines modified
338 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/>285 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/>
339 ····<select·idref="file_permissions_etc_passwd"·selected="true"/>286 ····<select·idref="file_permissions_etc_passwd"·selected="true"/>
340 ····<select·idref="file_permissions_etc_group"·selected="true"/>287 ····<select·idref="file_permissions_etc_group"·selected="true"/>
341 ····<select·idref="remediation_functions"·selected="false"/>288 ····<select·idref="remediation_functions"·selected="false"/>
342 ····<select·idref="basics"·selected="false"/>289 ····<select·idref="basics"·selected="false"/>
343 ····<select·idref="ssh"·selected="false"/>290 ····<select·idref="ssh"·selected="false"/>
344 ····<select·idref="ssh_server"·selected="false"/>291 ····<select·idref="ssh_server"·selected="false"/>
345 ····<select·idref="software"·selected="false"/> 
346 ····<select·idref="rsyslog_sending_messages"·selected="false"/>292 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
347 ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/>293 ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/>
Max diff block lines reached; 119305/128573 bytes (92.79%) of diff not shown.
149 MB
ssg-nondebian_0.1.39-2_all.deb
452 B
file list
    
Offset 1, 3 lines modifiedOffset 1, 3 lines modified
1 -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary1 -rw-r--r--···0········0········0········4·2018-07-26·14:58:28.000000·debian-binary
2 -rw-r--r--···0········0········0·····5720·2018-07-26·14:58:28.000000·control.tar.xz2 -rw-r--r--···0········0········0·····5704·2018-07-26·14:58:28.000000·control.tar.xz
3 -rw-r--r--···0········0········0··5251460·2018-07-26·14:58:28.000000·data.tar.xz3 -rw-r--r--···0········0········0··5246156·2018-07-26·14:58:28.000000·data.tar.xz
640 B
control.tar.xz
612 B
control.tar
542 B
./control
    
Offset 1, 13 lines modifiedOffset 1, 13 lines modified
1 Package:·ssg-nondebian1 Package:·ssg-nondebian
2 Source:·scap-security-guide2 Source:·scap-security-guide
3 Version:·0.1.39-23 Version:·0.1.39-2
4 Architecture:·all4 Architecture:·all
5 Maintainer:·Debian·Security·Tools·<team+pkg-security@tracker.debian.org>5 Maintainer:·Debian·Security·Tools·<team+pkg-security@tracker.debian.org>
6 Installed-Size:·2662596 Installed-Size:·266316
7 Depends:·ssg-base7 Depends:·ssg-base
8 Section:·admin8 Section:·admin
9 Priority:·optional9 Priority:·optional
10 Multi-Arch:·foreign10 Multi-Arch:·foreign
11 Homepage:·https://www.open-scap.org/security-policies/scap-security-guide11 Homepage:·https://www.open-scap.org/security-policies/scap-security-guide
12 Description:·SCAP·Guides·and·benchmarks·targeting·other·GNU/Linux·OS12 Description:·SCAP·Guides·and·benchmarks·targeting·other·GNU/Linux·OS
13 ·This·package·contains·all·the·SCAP·guides,·benchmarks·and·remediation13 ·This·package·contains·all·the·SCAP·guides,·benchmarks·and·remediation
48.0 B
./md5sums
30.0 B
./md5sums
Files differ
149 MB
data.tar.xz
149 MB
data.tar
56.1 KB
file list
    
Offset 2, 29 lines modifiedOffset 2, 29 lines modified
2 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/2 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/
3 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/3 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/
4 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc/4 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc/
5 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/5 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/
6 -rw-r--r--···0·root·········(0)·root·········(0)·····1190·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/changelog.Debian.gz6 -rw-r--r--···0·root·········(0)·root·········(0)·····1190·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/changelog.Debian.gz
7 -rw-r--r--···0·root·········(0)·root·········(0)·····4350·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/changelog.gz7 -rw-r--r--···0·root·········(0)·root·········(0)·····4350·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/changelog.gz
8 -rw-r--r--···0·root·········(0)·root·········(0)·····3703·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/copyright8 -rw-r--r--···0·root·········(0)·root·········(0)·····3703·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/copyright
9 -rw-r--r--···0·root·········(0)·root·········(0)··1347276·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-C2S.html9 -rw-r--r--···0·root·········(0)·root·········(0)··1348026·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-C2S.html
10 -rw-r--r--···0·root·········(0)·root·········(0)··1914831·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-CS2.html10 -rw-r--r--···0·root·········(0)·root·········(0)··1915581·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-CS2.html
11 -rw-r--r--···0·root·········(0)·root·········(0)··1535815·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-CSCF-RHEL6-MLS.html11 -rw-r--r--···0·root·········(0)·root·········(0)··1536565·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-CSCF-RHEL6-MLS.html
12 -rw-r--r--···0·root·········(0)·root·········(0)···500737·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-default.html12 -rw-r--r--···0·root·········(0)·root·········(0)···500737·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-default.html
13 -rw-r--r--···0·root·········(0)·root·········(0)··1568505·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-desktop.html13 -rw-r--r--···0·root·········(0)·root·········(0)··1569255·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-desktop.html
14 -rw-r--r--···0·root·········(0)·root·········(0)··1582000·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-fisma-medium-rhel6-server.html14 -rw-r--r--···0·root·········(0)·root·········(0)··1582750·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-fisma-medium-rhel6-server.html
15 -rw-r--r--···0·root·········(0)·root·········(0)··1472975·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-ftp-server.html15 -rw-r--r--···0·root·········(0)·root·········(0)··1473725·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-ftp-server.html
16 -rw-r--r--···0·root·········(0)·root·········(0)·····8309·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-index.html16 -rw-r--r--···0·root·········(0)·root·········(0)·····8309·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-index.html
17 -rw-r--r--···0·root·········(0)·root·········(0)··1842086·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-nist-CL-IL-AL.html17 -rw-r--r--···0·root·········(0)·root·········(0)··1842836·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-nist-CL-IL-AL.html
18 -rw-r--r--···0·root·········(0)·root·········(0)···997454·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-pci-dss.html18 -rw-r--r--···0·root·········(0)·root·········(0)···997840·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-pci-dss.html
19 -rw-r--r--···0·root·········(0)·root·········(0)···675491·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-rht-ccp.html19 -rw-r--r--···0·root·········(0)·root·········(0)···676241·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-rht-ccp.html
20 -rw-r--r--···0·root·········(0)·root·········(0)··1456749·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-server.html20 -rw-r--r--···0·root·········(0)·root·········(0)··1457499·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-server.html
21 -rw-r--r--···0·root·········(0)·root·········(0)··1438404·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-standard.html21 -rw-r--r--···0·root·········(0)·root·········(0)··1439154·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-standard.html
22 -rw-r--r--···0·root·········(0)·root·········(0)··1705232·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-stig-rhel6-disa.html22 -rw-r--r--···0·root·········(0)·root·········(0)··1705982·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-stig-rhel6-disa.html
23 -rw-r--r--···0·root·········(0)·root·········(0)··1635302·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-usgcb-rhel6-server.html23 -rw-r--r--···0·root·········(0)·root·········(0)··1636052·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos6-guide-usgcb-rhel6-server.html
24 -rw-r--r--···0·root·········(0)·root·········(0)··2080943·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-C2S.html24 -rw-r--r--···0·root·········(0)·root·········(0)··2080943·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-C2S.html
25 -rw-r--r--···0·root·········(0)·root·········(0)··1256874·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-cjis.html25 -rw-r--r--···0·root·········(0)·root·········(0)··1256874·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-cjis.html
26 -rw-r--r--···0·root·········(0)·root·········(0)···541764·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-default.html26 -rw-r--r--···0·root·········(0)·root·········(0)···541764·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-default.html
27 -rw-r--r--···0·root·········(0)·root·········(0)··1944352·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-hipaa.html27 -rw-r--r--···0·root·········(0)·root·········(0)··1944352·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-hipaa.html
28 -rw-r--r--···0·root·········(0)·root·········(0)·····6980·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-index.html28 -rw-r--r--···0·root·········(0)·root·········(0)·····6980·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-index.html
29 -rw-r--r--···0·root·········(0)·root·········(0)··3034308·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-nist-800-171-cui.html29 -rw-r--r--···0·root·········(0)·root·········(0)··3034308·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-nist-800-171-cui.html
30 -rw-r--r--···0·root·········(0)·root·········(0)··3034987·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-ospp.html30 -rw-r--r--···0·root·········(0)·root·········(0)··3034987·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-ospp.html
Offset 32, 58 lines modifiedOffset 32, 58 lines modified
32 -rw-r--r--···0·root·········(0)·root·········(0)···642649·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-rht-ccp.html32 -rw-r--r--···0·root·········(0)·root·········(0)···642649·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-rht-ccp.html
33 -rw-r--r--···0·root·········(0)·root·········(0)···910410·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-standard.html33 -rw-r--r--···0·root·········(0)·root·········(0)···910410·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-standard.html
34 -rw-r--r--···0·root·········(0)·root·········(0)··2326692·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-stig-rhel7-disa.html34 -rw-r--r--···0·root·········(0)·root·········(0)··2326692·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-centos7-guide-stig-rhel7-disa.html
35 -rw-r--r--···0·root·········(0)·root·········(0)···541125·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-default.html35 -rw-r--r--···0·root·········(0)·root·········(0)···541125·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-default.html
36 -rw-r--r--···0·root·········(0)·root·········(0)·····2536·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-index.html36 -rw-r--r--···0·root·········(0)·root·········(0)·····2536·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-index.html
37 -rw-r--r--···0·root·········(0)·root·········(0)···306930·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-stig-openstack.html37 -rw-r--r--···0·root·········(0)·root·········(0)···306930·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-stig-openstack.html
38 -rw-r--r--···0·root·········(0)·root·········(0)···501634·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-PCIDSS-RHEL-6-guide-default.html38 -rw-r--r--···0·root·········(0)·root·········(0)···501634·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-PCIDSS-RHEL-6-guide-default.html
39 -rw-r--r--···0·root·········(0)·root·········(0)··1255725·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-PCIDSS-RHEL-6-guide-pci-dss_centric.html39 -rw-r--r--···0·root·········(0)·root·········(0)··1256111·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-PCIDSS-RHEL-6-guide-pci-dss_centric.html
40 -rw-r--r--···0·root·········(0)·root·········(0)··1449191·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-C2S.html40 -rw-r--r--···0·root·········(0)·root·········(0)··1449941·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-C2S.html
41 -rw-r--r--···0·root·········(0)·root·········(0)··2082734·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-CS2.html41 -rw-r--r--···0·root·········(0)·root·········(0)··2083484·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-CS2.html
42 -rw-r--r--···0·root·········(0)·root·········(0)··1652923·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-CSCF-RHEL6-MLS.html42 -rw-r--r--···0·root·········(0)·root·········(0)··1653673·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-CSCF-RHEL6-MLS.html
43 -rw-r--r--···0·root·········(0)·root·········(0)···499080·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-default.html43 -rw-r--r--···0·root·········(0)·root·········(0)···499080·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-default.html
44 -rw-r--r--···0·root·········(0)·root·········(0)··1683570·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-desktop.html44 -rw-r--r--···0·root·········(0)·root·········(0)··1684320·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-desktop.html
45 -rw-r--r--···0·root·········(0)·root·········(0)··1698024·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-fisma-medium-rhel6-server.html45 -rw-r--r--···0·root·········(0)·root·········(0)··1698774·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-fisma-medium-rhel6-server.html
46 -rw-r--r--···0·root·········(0)·root·········(0)··1581430·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-ftp-server.html46 -rw-r--r--···0·root·········(0)·root·········(0)··1582180·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-ftp-server.html
47 -rw-r--r--···0·root·········(0)·root·········(0)·····8241·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-index.html47 -rw-r--r--···0·root·········(0)·root·········(0)·····8241·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-index.html
48 -rw-r--r--···0·root·········(0)·root·········(0)··1990511·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-nist-CL-IL-AL.html48 -rw-r--r--···0·root·········(0)·root·········(0)··1991261·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-nist-CL-IL-AL.html
49 -rw-r--r--···0·root·········(0)·root·········(0)··1049695·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-pci-dss.html49 -rw-r--r--···0·root·········(0)·root·········(0)··1050081·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-pci-dss.html
50 -rw-r--r--···0·root·········(0)·root·········(0)···728084·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-rht-ccp.html50 -rw-r--r--···0·root·········(0)·root·········(0)···728834·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-rht-ccp.html
51 -rw-r--r--···0·root·········(0)·root·········(0)··1562082·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-server.html51 -rw-r--r--···0·root·········(0)·root·········(0)··1562832·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-server.html
52 -rw-r--r--···0·root·········(0)·root·········(0)··1541421·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-standard.html52 -rw-r--r--···0·root·········(0)·root·········(0)··1542171·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-standard.html
53 -rw-r--r--···0·root·········(0)·root·········(0)··1845847·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-stig-rhel6-disa.html53 -rw-r--r--···0·root·········(0)·root·········(0)··1846597·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-stig-rhel6-disa.html
54 -rw-r--r--···0·root·········(0)·root·········(0)··1757167·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-usgcb-rhel6-server.html54 -rw-r--r--···0·root·········(0)·root·········(0)··1757917·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-usgcb-rhel6-server.html
55 -rw-r--r--···0·root·········(0)·root·········(0)···501634·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-PCIDSS-RHEL-7-guide-default.html55 -rw-r--r--···0·root·········(0)·root·········(0)···501634·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-PCIDSS-RHEL-7-guide-default.html
56 -rw-r--r--···0·root·········(0)·root·········(0)··1429672·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html56 -rw-r--r--···0·root·········(0)·root·········(0)··1429672·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html
57 -rw-r--r--···0·root·········(0)·root·········(0)··2191116·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-C2S.html57 -rw-r--r--···0·root·········(0)·root·········(0)··2191116·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-C2S.html
58 -rw-r--r--···0·root·········(0)·root·········(0)··1310403·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-cjis.html58 -rw-r--r--···0·root·········(0)·root·········(0)··1310403·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-cjis.html
59 -rw-r--r--···0·root·········(0)·root·········(0)···540107·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-default.html59 -rw-r--r--···0·root·········(0)·root·········(0)···540107·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-default.html
60 -rw-r--r--···0·root·········(0)·root·········(0)··2024942·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-hipaa.html60 -rw-r--r--···0·root·········(0)·root·········(0)··2024942·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-hipaa.html
61 -rw-r--r--···0·root·········(0)·root·········(0)·····6928·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-index.html61 -rw-r--r--···0·root·········(0)·root·········(0)·····6928·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-index.html
62 -rw-r--r--···0·root·········(0)·root·········(0)··3230645·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-nist-800-171-cui.html62 -rw-r--r--···0·root·········(0)·root·········(0)··3230645·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-nist-800-171-cui.html
63 -rw-r--r--···0·root·········(0)·root·········(0)··3231324·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-ospp.html63 -rw-r--r--···0·root·········(0)·root·········(0)··3231324·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-ospp.html
64 -rw-r--r--···0·root·········(0)·root·········(0)··1237827·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-pci-dss.html64 -rw-r--r--···0·root·········(0)·root·········(0)··1237827·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-pci-dss.html
65 -rw-r--r--···0·root·········(0)·root·········(0)···678706·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-rht-ccp.html65 -rw-r--r--···0·root·········(0)·root·········(0)···678706·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-rht-ccp.html
66 -rw-r--r--···0·root·········(0)·root·········(0)···935906·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-standard.html66 -rw-r--r--···0·root·········(0)·root·········(0)···935906·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-standard.html
67 -rw-r--r--···0·root·········(0)·root·········(0)··2465665·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-stig-rhel7-disa.html67 -rw-r--r--···0·root·········(0)·root·········(0)··2465665·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-stig-rhel7-disa.html
68 -rw-r--r--···0·root·········(0)·root·········(0)··1347787·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-C2S.html68 -rw-r--r--···0·root·········(0)·root·········(0)··1348537·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-C2S.html
69 -rw-r--r--···0·root·········(0)·root·········(0)··1915342·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-CS2.html69 -rw-r--r--···0·root·········(0)·root·········(0)··1916092·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-CS2.html
70 -rw-r--r--···0·root·········(0)·root·········(0)··1536326·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-CSCF-RHEL6-MLS.html70 -rw-r--r--···0·root·········(0)·root·········(0)··1537076·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-CSCF-RHEL6-MLS.html
71 -rw-r--r--···0·root·········(0)·root·········(0)···501248·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-default.html71 -rw-r--r--···0·root·········(0)·root·········(0)···501248·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-default.html
72 -rw-r--r--···0·root·········(0)·root·········(0)··1569016·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-desktop.html72 -rw-r--r--···0·root·········(0)·root·········(0)··1569766·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-desktop.html
73 -rw-r--r--···0·root·········(0)·root·········(0)··1582511·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-fisma-medium-rhel6-server.html73 -rw-r--r--···0·root·········(0)·root·········(0)··1583261·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-fisma-medium-rhel6-server.html
74 -rw-r--r--···0·root·········(0)·root·········(0)··1473486·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-ftp-server.html74 -rw-r--r--···0·root·········(0)·root·········(0)··1474236·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-ftp-server.html
75 -rw-r--r--···0·root·········(0)·root·········(0)·····8173·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-index.html75 -rw-r--r--···0·root·········(0)·root·········(0)·····8173·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-index.html
76 -rw-r--r--···0·root·········(0)·root·········(0)··1842597·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-nist-CL-IL-AL.html76 -rw-r--r--···0·root·········(0)·root·········(0)··1843347·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-nist-CL-IL-AL.html
77 -rw-r--r--···0·root·········(0)·root·········(0)···997965·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-pci-dss.html77 -rw-r--r--···0·root·········(0)·root·········(0)···998351·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-pci-dss.html
78 -rw-r--r--···0·root·········(0)·root·········(0)···676002·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-rht-ccp.html78 -rw-r--r--···0·root·········(0)·root·········(0)···676752·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-rht-ccp.html
79 -rw-r--r--···0·root·········(0)·root·········(0)··1457260·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-server.html79 -rw-r--r--···0·root·········(0)·root·········(0)··1458010·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-server.html
80 -rw-r--r--···0·root·········(0)·root·········(0)··1438915·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-standard.html80 -rw-r--r--···0·root·········(0)·root·········(0)··1439665·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-standard.html
81 -rw-r--r--···0·root·········(0)·root·········(0)··1705743·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-stig-rhel6-disa.html81 -rw-r--r--···0·root·········(0)·root·········(0)··1706493·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-stig-rhel6-disa.html
82 -rw-r--r--···0·root·········(0)·root·········(0)··1635813·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-usgcb-rhel6-server.html82 -rw-r--r--···0·root·········(0)·root·········(0)··1636563·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl6-guide-usgcb-rhel6-server.html
83 -rw-r--r--···0·root·········(0)·root·········(0)··2081454·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-C2S.html83 -rw-r--r--···0·root·········(0)·root·········(0)··2081454·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-C2S.html
84 -rw-r--r--···0·root·········(0)·root·········(0)··1257385·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-cjis.html84 -rw-r--r--···0·root·········(0)·root·········(0)··1257385·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-cjis.html
85 -rw-r--r--···0·root·········(0)·root·········(0)···542275·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-default.html85 -rw-r--r--···0·root·········(0)·root·········(0)···542275·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-default.html
86 -rw-r--r--···0·root·········(0)·root·········(0)··1944863·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-hipaa.html86 -rw-r--r--···0·root·········(0)·root·········(0)··1944863·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-hipaa.html
87 -rw-r--r--···0·root·········(0)·root·········(0)·····6876·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-index.html87 -rw-r--r--···0·root·········(0)·root·········(0)·····6876·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-index.html
88 -rw-r--r--···0·root·········(0)·root·········(0)··3034819·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-nist-800-171-cui.html88 -rw-r--r--···0·root·········(0)·root·········(0)··3034819·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-nist-800-171-cui.html
89 -rw-r--r--···0·root·········(0)·root·········(0)··3035498·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-ospp.html89 -rw-r--r--···0·root·········(0)·root·········(0)··3035498·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/ssg-sl7-guide-ospp.html
Offset 119, 140 lines modifiedOffset 119, 140 lines modified
119 -rw-r--r--···0·root·········(0)·root·········(0)··2223735·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-srgmap.html119 -rw-r--r--···0·root·········(0)·root·········(0)··2223735·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-srgmap.html
120 -rw-r--r--···0·root·········(0)·root·········(0)···277886·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-stig-testinfo.html120 -rw-r--r--···0·root·········(0)·root·········(0)···277886·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-stig-testinfo.html
121 -rw-r--r--···0·root·········(0)·root·········(0)···223440·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-stig.html121 -rw-r--r--···0·root·········(0)·root·········(0)···223440·2018-07-26·14:58:28.000000·./usr/share/doc/ssg-nondebian/table-rhel7-stig.html
122 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc-base/122 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/doc-base/
123 -rw-r--r--···0·root·········(0)·root·········(0)······498·2018-07-26·14:58:28.000000·./usr/share/doc-base/ssg-nondebian123 -rw-r--r--···0·root·········(0)·root·········(0)······498·2018-07-26·14:58:28.000000·./usr/share/doc-base/ssg-nondebian
124 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/124 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/
125 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/125 drwxr-xr-x···0·root·········(0)·root·········(0)········0·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/
126 -rw-r--r--···0·root·········(0)·root·········(0)····95233·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-C2S.yml126 -rw-r--r--···0·root·········(0)·root·········(0)····96113·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-C2S.yml
127 -rw-r--r--···0·root·········(0)·root·········(0)···169917·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-CS2.yml127 -rw-r--r--···0·root·········(0)·root·········(0)···170797·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-CS2.yml
128 -rw-r--r--···0·root·········(0)·root·········(0)···131701·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-CSCF-RHEL6-MLS.yml128 -rw-r--r--···0·root·········(0)·root·········(0)···132581·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-CSCF-RHEL6-MLS.yml
129 -rw-r--r--···0·root·········(0)·root·········(0)···140530·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-desktop.yml129 -rw-r--r--···0·root·········(0)·root·········(0)···141410·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-desktop.yml
130 -rw-r--r--···0·root·········(0)·root·········(0)···151894·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-fisma-medium-rhel6-server.yml130 -rw-r--r--···0·root·········(0)·root·········(0)···152774·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-fisma-medium-rhel6-server.yml
131 -rw-r--r--···0·root·········(0)·root·········(0)···131765·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-ftp-server.yml131 -rw-r--r--···0·root·········(0)·root·········(0)···132645·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-ftp-server.yml
132 -rw-r--r--···0·root·········(0)·root·········(0)···172179·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-nist-CL-IL-AL.yml132 -rw-r--r--···0·root·········(0)·root·········(0)···173059·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-nist-CL-IL-AL.yml
133 -rw-r--r--···0·root·········(0)·root·········(0)····92052·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-pci-dss.yml133 -rw-r--r--···0·root·········(0)·root·········(0)····92505·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-pci-dss.yml
134 -rw-r--r--···0·root·········(0)·root·········(0)····46220·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-rht-ccp.yml134 -rw-r--r--···0·root·········(0)·root·········(0)····47100·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-rht-ccp.yml
135 -rw-r--r--···0·root·········(0)·root·········(0)···131430·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-server.yml135 -rw-r--r--···0·root·········(0)·root·········(0)···132310·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-server.yml
136 -rw-r--r--···0·root·········(0)·root·········(0)···131201·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-standard.yml136 -rw-r--r--···0·root·········(0)·root·········(0)···132081·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-standard.yml
137 -rw-r--r--···0·root·········(0)·root·········(0)···151832·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-stig-rhel6-disa.yml137 -rw-r--r--···0·root·········(0)·root·········(0)···152712·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-stig-rhel6-disa.yml
138 -rw-r--r--···0·root·········(0)·root·········(0)···151628·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-usgcb-rhel6-server.yml138 -rw-r--r--···0·root·········(0)·root·········(0)···152508·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos6-role-usgcb-rhel6-server.yml
139 -rw-r--r--···0·root·········(0)·root·········(0)···209133·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-C2S.yml139 -rw-r--r--···0·root·········(0)·root·········(0)···209133·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-C2S.yml
140 -rw-r--r--···0·root·········(0)·root·········(0)···112377·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-cjis.yml140 -rw-r--r--···0·root·········(0)·root·········(0)···112377·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-cjis.yml
141 -rw-r--r--···0·root·········(0)·root·········(0)···190441·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-hipaa.yml141 -rw-r--r--···0·root·········(0)·root·········(0)···190441·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-hipaa.yml
142 -rw-r--r--···0·root·········(0)·root·········(0)···320643·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-nist-800-171-cui.yml142 -rw-r--r--···0·root·········(0)·root·········(0)···320643·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-nist-800-171-cui.yml
143 -rw-r--r--···0·root·········(0)·root·········(0)···321377·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-ospp.yml143 -rw-r--r--···0·root·········(0)·root·········(0)···321377·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-ospp.yml
144 -rw-r--r--···0·root·········(0)·root·········(0)···104337·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-pci-dss.yml144 -rw-r--r--···0·root·········(0)·root·········(0)···104337·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-pci-dss.yml
145 -rw-r--r--···0·root·········(0)·root·········(0)····43757·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-rht-ccp.yml145 -rw-r--r--···0·root·········(0)·root·········(0)····43757·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-rht-ccp.yml
146 -rw-r--r--···0·root·········(0)·root·········(0)····82665·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-standard.yml146 -rw-r--r--···0·root·········(0)·root·········(0)····82665·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-standard.yml
147 -rw-r--r--···0·root·········(0)·root·········(0)···232273·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-stig-rhel7-disa.yml147 -rw-r--r--···0·root·········(0)·root·········(0)···232273·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-centos7-role-stig-rhel7-disa.yml
148 -rw-r--r--···0·root·········(0)·root·········(0)·····1177·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel-osp7-role-stig-openstack.yml148 -rw-r--r--···0·root·········(0)·root·········(0)·····1177·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel-osp7-role-stig-openstack.yml
149 -rw-r--r--···0·root·········(0)·root·········(0)····95233·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-C2S.yml149 -rw-r--r--···0·root·········(0)·root·········(0)····96113·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-C2S.yml
150 -rw-r--r--···0·root·········(0)·root·········(0)···169917·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-CS2.yml150 -rw-r--r--···0·root·········(0)·root·········(0)···170797·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-CS2.yml
151 -rw-r--r--···0·root·········(0)·root·········(0)···131701·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-CSCF-RHEL6-MLS.yml151 -rw-r--r--···0·root·········(0)·root·········(0)···132581·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-CSCF-RHEL6-MLS.yml
152 -rw-r--r--···0·root·········(0)·root·········(0)···140530·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-desktop.yml152 -rw-r--r--···0·root·········(0)·root·········(0)···141410·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-desktop.yml
153 -rw-r--r--···0·root·········(0)·root·········(0)···151894·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-fisma-medium-rhel6-server.yml153 -rw-r--r--···0·root·········(0)·root·········(0)···152774·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-fisma-medium-rhel6-server.yml
154 -rw-r--r--···0·root·········(0)·root·········(0)···131765·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-ftp-server.yml154 -rw-r--r--···0·root·········(0)·root·········(0)···132645·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-ftp-server.yml
155 -rw-r--r--···0·root·········(0)·root·········(0)···172179·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-nist-CL-IL-AL.yml155 -rw-r--r--···0·root·········(0)·root·········(0)···173059·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-nist-CL-IL-AL.yml
156 -rw-r--r--···0·root·········(0)·root·········(0)····92052·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-pci-dss.yml156 -rw-r--r--···0·root·········(0)·root·········(0)····92505·2018-07-26·14:58:28.000000·./usr/share/scap-security-guide/ansible/ssg-rhel6-role-pci-dss.yml
Max diff block lines reached; 27956/57407 bytes (48.70%) of diff not shown.
1.45 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-C2S.html
    
Offset 65, 45 lines modifiedOffset 65, 43 lines modified
65 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in65 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
66 this·guide·without·first·testing·them·in·a·non-operational·environment.·The66 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
67 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by67 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
68 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its68 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
69 quality,·reliability,·or·any·other·characteristic.69 quality,·reliability,·or·any·other·characteristic.
70 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>70 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
71 ····························(as·of·2018-07-26)71 ····························(as·of·2018-07-26)
72 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a[·...·truncated·by·diffoscope;·len:·1198,·SHA:·51cf316a1f51145ef5b84d4df33141a3708861da5f3329cf77ffa71a74c6142b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services72 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
74 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It74 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
75 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which75 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
76 ones·can·be·safely·disabled.76 ones·can·be·safely·disabled.
77 <br><br>77 <br><br>
78 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional78 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
79 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up79 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
80 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server80 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
82 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft82 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
83 Windows·systems.·There·are·two·software·packages·that·provide83 that·passwords·and·other·data·transmitted·during·the·session·can·be
84 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of84 captured·and·that·the·session·is·vulnerable·to·hijacking.
85 command·line·tools·that·enable·a·client·system·to·access·Samba85 Therefore,·running·the·FTP·server·software·is·not·recommended.
86 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba86 <br><br>
87 service.·It·is·this·second·package·that·allows·a·Linux·system·to87 However,·there·are·some·FTP·server·configurations·which·may
88 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a88 be·appropriate·for·some·environments,·particularly·those·which
89 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by89 allow·only·read-only·anonymous·access·as·a·means·of·downloading
90 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible90 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
91 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it91 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
92 will·remain·disabled.·Do·not·enable·this·service·unless·it·is92 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
93 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print93 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
94 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_samba_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_samba_removed"·id="guide-tree-leaf-idm29012"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_samba_removed">Uninstall·samba·Package 
95 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_samba_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> 
96 ············94 ············
97 ········The·<code>samba</code>·package·can·be·removed·with·the·following·command:95 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
98 ········<pre>$·sudo·yum·erase·samba</pre>96 ········<pre>$·sudo·yum·erase·vsftpd</pre>
99 ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·mount·directories·and·file·systems·to97 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
100 Windows·systems,·then·this·service·can·be·deleted·to·reduce·98 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
101 the·potential·attack·surface.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 99 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
102 ························unknown</p></div><div·class="identifiers"></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29018">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29018"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.100 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
103 #101 #
104 #·Example·Call(s):102 #·Example·Call(s):
105 #103 #
106 #·····package_remove·telnet-server104 #·····package_remove·telnet-server
107 #105 #
108 function·package_remove·{106 function·package_remove·{
  
Offset 132, 59 lines modifiedOffset 130, 60 lines modified
132 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"130 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
133 ··echo·"Aborting."131 ··echo·"Aborting."
134 ··exit·1132 ··exit·1
135 fi133 fi
  
136 }134 }
  
137 package_remove·samba135 package_remove·vsftpd
138 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·samba·is·removed136 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29121">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29121"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed
139 ··package:137 ··package:
140 ····name="{{item}}"138 ····name="{{item}}"
141 ····state=absent139 ····state=absent
142 ··with_items:140 ··with_items:
143 ····-·samba141 ····-·vsftpd
144 ··tags:142 ··tags:
145 ····-·package_samba_removed143 ····-·package_vsftpd_removed
146 ····-·unknown_severity144 ····-·unknown_severity
147 ····-·disable_strategy145 ····-·disable_strategy
148 ····-·low_complexity146 ····-·low_complexity
149 ····-·low_disruption147 ····-·low_disruption
150 ····-·CCE-27102-3148 ····-·CCE-26687-4
151 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_samba149 ····-·NIST-800-53-CM-7
 150 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29122">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29122"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd
  
152 class·remove_samba·{151 class·remove_vsftpd·{
153 ··package·{·'samba':152 ··package·{·'vsftpd':
154 ····ensure·=&gt;·'purged',153 ····ensure·=&gt;·'purged',
155 ··}154 ··}
156 }155 }
157 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29022">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29022"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>156 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
158 package·--remove=samba157 package·--remove=vsftpd
159 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server158 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server
160 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to159 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to
161 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant160 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant
162 security·risk·because:161 security·risk·because:
163 <br><br>162 <br><br>
164 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long163 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long
165 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive164 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive
166 monitoring</li></ul>165 monitoring</li></ul>
167 <br><br>166 <br><br>
168 The·system's·default·web·server·software·is·Apache·2·and·is167 The·system's·default·web·server·software·is·Apache·2·and·is
169 provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible168 provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible
170 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system169 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system
171 does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled170 does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled
172 and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm29153"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_httpd_removed">Uninstall·httpd·Package171 and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm29172"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_httpd_removed">Uninstall·httpd·Package
173 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>172 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
174 ············173 ············
175 ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command:174 ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command:
176 ········<pre>$·sudo·yum·erase·httpd</pre>175 ········<pre>$·sudo·yum·erase·httpd</pre>
177 ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available,176 ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available,
178 removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 177 removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
179 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 178 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
180 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29160">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29160"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.179 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29179">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29179"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
181 #180 #
182 #·Example·Call(s):181 #·Example·Call(s):
183 #182 #
184 #·····package_remove·telnet-server183 #·····package_remove·telnet-server
185 #184 #
186 function·package_remove·{185 function·package_remove·{
  
Offset 214, 88 lines modifiedOffset 213, 54 lines modified
214 ··echo·"Aborting."213 ··echo·"Aborting."
215 ··exit·1214 ··exit·1
216 fi215 fi
  
217 }216 }
  
218 package_remove·httpd217 package_remove·httpd
219 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29162">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29162"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·httpd·is·removed218 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29181">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29181"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·httpd·is·removed
220 ··package:219 ··package:
221 ····name="{{item}}"220 ····name="{{item}}"
222 ····state=absent221 ····state=absent
223 ··with_items:222 ··with_items:
224 ····-·httpd223 ····-·httpd
225 ··tags:224 ··tags:
226 ····-·package_httpd_removed225 ····-·package_httpd_removed
227 ····-·unknown_severity226 ····-·unknown_severity
228 ····-·disable_strategy227 ····-·disable_strategy
229 ····-·low_complexity228 ····-·low_complexity
230 ····-·low_disruption229 ····-·low_disruption
231 ····-·CCE-27133-8230 ····-·CCE-27133-8
Max diff block lines reached; 1491404/1518933 bytes (98.19%) of diff not shown.
2.15 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-CS2.html
    
Offset 56, 45 lines modifiedOffset 56, 62 lines modified
56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a[·...·truncated·by·diffoscope;·len:·1198,·SHA:·51cf316a1f51145ef5b84d4df33141a3708861da5f3329cf77ffa71a74c6142b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
72 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows72 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
73 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft73 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
74 Windows·systems.·There·are·two·software·packages·that·provide74 that·passwords·and·other·data·transmitted·during·the·session·can·be
75 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of75 captured·and·that·the·session·is·vulnerable·to·hijacking.
76 command·line·tools·that·enable·a·client·system·to·access·Samba76 Therefore,·running·the·FTP·server·software·is·not·recommended.
77 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba77 <br><br>
78 service.·It·is·this·second·package·that·allows·a·Linux·system·to78 However,·there·are·some·FTP·server·configurations·which·may
79 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a79 be·appropriate·for·some·environments,·particularly·those·which
80 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by80 allow·only·read-only·anonymous·access·as·a·means·of·downloading
81 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible81 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
83 will·remain·disabled.·Do·not·enable·this·service·unless·it·is83 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
84 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print84 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions
85 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba85 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
86 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>86 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
 87 <pre>xferlog_enable=YES
 88 xferlog_std_format=NO
 89 log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to
 90 the·FTP·server·are·logged·using·the·verbose·vsftpd·log
 91 format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 92 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 93 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29063"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users
 94 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 95 by·default.·Add·or·correct·the·following·configuration·options:
 96 <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 97 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 98 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
 99 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
 100 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
 101 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
87 ············102 ············
88 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:103 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
89 ········<pre>$·sudo·chkconfig·smb·off</pre>104 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
90 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·a·Samba·server·provides·a·network-based·avenue·of·attack,·and105 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
91 should·be·disabled·if·not·needed.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 106 of·attack,·and·should·be·disabled·if·not·needed.
 107 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 108 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
92 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 109 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
93 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29005">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29005"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.110 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
94 #111 #
95 #·Example·Call(s):112 #·Example·Call(s):
96 #113 #
97 #·····service_command·enable·bluetooth114 #·····service_command·enable·bluetooth
98 #·····service_command·disable·bluetooth.service115 #·····service_command·disable·bluetooth.service
99 #116 #
100 #·····Using·xinetd:117 #·····Using·xinetd:
Offset 161, 135 lines modifiedOffset 178, 123 lines modified
161 ··else178 ··else
162 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd179 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
163 ··fi180 ··fi
164 fi181 fi
  
165 }182 }
  
166 service_command·disable·smb183 service_command·disable·vsftpd
167 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29007">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29007"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·smb184 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd
168 ··service:185 ··service:
169 ····name="{{item}}"186 ····name="{{item}}"
170 ····enabled="no"187 ····enabled="no"
171 ····state="stopped"188 ····state="stopped"
172 ··register:·service_result189 ··register:·service_result
173 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"190 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
174 ··with_items:191 ··with_items:
175 ····-·smb192 ····-·vsftpd
176 ··tags:193 ··tags:
177 ····-·service_smb_disabled194 ····-·service_vsftpd_disabled
178 ····-·unknown_severity195 ····-·unknown_severity
179 ····-·disable_strategy196 ····-·disable_strategy
180 ····-·low_complexity197 ····-·low_complexity
181 ····-·low_disruption198 ····-·low_disruption
182 ····-·CCE-27143-7199 ····-·CCE-26948-0
183 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary200 ····-·NIST-800-53-CM-7
184 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in201 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
185 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a202 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
186 <code>[global]</code>·configuration·section·and·a·series·of·user203 ············
187 created·share·definition·sections·meant·to·describe·file·or·print204 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
188 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode205 ········<pre>$·sudo·yum·erase·vsftpd</pre>
189 and·allow·client·systems·to·access·local·home·directories·and206 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
190 printers.·It·is·recommended·that·these·settings·be·changed·or·that207 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
191 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_smb_server_disable_root"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smb_server_disable_root"·id="guide-tree-leaf-idm29068"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_smb_server_disable_root">Disable·Root·Access·to·SMB·Shares 
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_smb_server_disable_root">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Administrators·should·not·use·administrator·accounts·to·access 
193 Samba·file·and·printer·shares.·Disable·the·root·user·and·the·wheel 
194 administrator·group: 
195 <pre>[<i>share</i>] 
196 ··invalid·users·=·root·@wheel</pre> 
197 If·administrator·accounts·cannot·be·disabled,·ensure·that·local·system 
198 passwords·and·Samba·service·passwords·do·not·match.</p><span·class="label·label-primary">Rationale:</span><p>Typically,·administrator·access·is·required·when·Samba·must·create·user·and 
199 system·accounts·and·shares.·Domain·member·servers·and·standalone·servers·may 
200 not·need·administrator·access·at·all.·If·that·is·the·case,·add·the·invalid 
201 users·parameter·to·<code>[global]</code>·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
202 ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient 
203 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
204 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
205 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
206 <pre>client·signing·=·mandatory</pre> 
207 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
208 signing·ensures·they·can 
209 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
210 man-in-the-middle·attacks·which·modify·SMB·packets·in 
211 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
212 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 208 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
213 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><pre><code>######################################################################209 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
214 #By·Luke·"Brisk-OH"·Brisk210 #
215 #luke.brisk@boeing.com·or·luke.brisk@gmail.com211 #·Example·Call(s):
216 ######################################################################212 #
 213 #·····package_remove·telnet-server
 214 #
 215 function·package_remove·{
  
217 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)216 #·Load·function·arguments·into·local·variables
 217 local·package="$1"
Max diff block lines reached; 2227557/2257749 bytes (98.66%) of diff not shown.
1.47 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-CSCF-RHEL6-MLS.html
    
Offset 61, 268 lines modifiedOffset 61, 146 lines modified
61 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in61 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
62 this·guide·without·first·testing·them·in·a·non-operational·environment.·The62 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
63 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by63 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
64 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its64 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
65 quality,·reliability,·or·any·other·characteristic.65 quality,·reliability,·or·any·other·characteristic.
66 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>66 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
67 ····························(as·of·2018-07-26)67 ····························(as·of·2018-07-26)
68 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avah[·...·truncated·by·diffoscope;·len:·769,·SHA:·3124dfdf73350166f9f7cbf4323d48d584287410c4cd751c8ee8b136e9c820f6·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services68 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SS[·...·truncated·by·diffoscope;·len:·769,·SHA:·db505ea275ff2d5c2ba13f068156b97f7fb51fc9aa062d91c74450db7783e2d3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
70 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It70 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
71 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which71 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
72 ones·can·be·safely·disabled.72 ones·can·be·safely·disabled.
73 <br><br>73 <br><br>
74 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional74 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
75 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up75 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
76 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server76 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
78 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant78 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
79 security·risk·because:79 that·passwords·and·other·data·transmitted·during·the·session·can·be
80 <br><br>80 captured·and·that·the·session·is·vulnerable·to·hijacking.
81 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long81 Therefore,·running·the·FTP·server·software·is·not·recommended.
82 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive 
83 monitoring</li></ul> 
84 <br><br> 
85 The·system's·default·web·server·software·is·Apache·2·and·is 
86 provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_securing_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_securing_httpd">Secure·Apache·Configuration 
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_securing_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>httpd</code>·configuration·file·is 
88 <code>/etc/httpd/conf/httpd.conf</code>.·Apply·the·recommendations·in·the·remainder 
89 of·this·section·to·this·file.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">Restrict·Web·Server·Information·Leakage 
90 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>ServerTokens</code>·and·<code>ServerSignature</code>·directives·determine·how 
91 much·information·the·web·server·discloses·about·the·configuration·of·the 
92 system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·id="guide-tree-leaf-idm29179"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">Set·httpd·ServerTokens·Directive·to·Prod 
93 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p><code>ServerTokens·Prod</code>·restricts·information·in·page·headers,·returning·only·the·word·"Apache." 
94 <br><br>82 <br><br>
95 Add·or·correct·the·following·directive·in·<code>/etc/httpd/conf/httpd.conf</code>:83 However,·there·are·some·FTP·server·configurations·which·may
96 <pre>ServerTokens·Prod</pre></p><span·class="label·label-primary">Rationale:</span><p>Information·disclosed·to·clients·about·the·configuration·of·the·web·server·and·system·could·be·used84 be·appropriate·for·some·environments,·particularly·those·which
97 to·plan·an·attack·on·the·given·system.·This·information·disclosure·should·be·restricted·to·a·minimum.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 85 allow·only·read-only·anonymous·access·as·a·means·of·downloading
98 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 86 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
99 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server">Configure·Operating·System·to·Protect·Web·Server87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
100 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·following·configuration·steps·should·be·taken·on·the·system·which·hosts·the88 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
101 web·server,·in·order·to·provide·as·safe·an·environment·as·possible·for·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td·style="padding-left:·95px"><h3·id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access">Restrict·File·and·Directory·Access89 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
102 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Minimize·access·to·critical·<code>httpd</code>·files·and·directories.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td·style="padding-left:·95px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files"·id="guide-tree-leaf-idm29238"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files">Set·Permissions·on·All·Configuration·Files·In[·...·truncated·by·diffoscope;·len:·21,·SHA:·a654334628ce638827ebb93749447f027c2f5ab718a08056943c12357d56bb7e·...·]90 ············
103 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Set·permissions·on·the·web·server·configuration·files·to·640:91 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
104 <pre>$·sudo·chmod·640·/etc/httpd/conf/*</pre></p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·configuration·files·may·allow·an·unauthorized·user·or·attacker92 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
105 to·access·information·about·the·web·server·or·to·alter·the·server's·configuration·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span93 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
106 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span94 of·attack,·and·should·be·disabled·if·not·needed.
107 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29244">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29244"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>95 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
108 chmod·0640·/etc/httpd/conf/*96 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
109 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29245">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29245"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> 
110 -·name:·Find·/etc/httpd/conf/*·file(s) 
111 ··find: 
112 ····paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" 
113 ····patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" 
114 ··register:·files_found 
115 ··tags: 
116 ····-·file_permissions_httpd_server_conf_files 
117 ····-·unknown_severity 
118 ····-·configure_strategy 
119 ····-·low_complexity 
120 ····-·low_disruption 
121 ····-·CCE-27316-9 
122 ····-·NIST-800-53-CM-7 
  
123 -·name:·Set·permissions 
124 ··file: 
125 ····path:·"{{·item.path·}}" 
126 ····mode:·0640 
127 ··with_items: 
128 ····-·"{{·files_found.files·}}" 
129 ··tags: 
130 ····-·file_permissions_httpd_server_conf_files 
131 ····-·unknown_severity 
132 ····-·configure_strategy 
133 ····-·low_complexity 
134 ····-·low_disruption 
135 ····-·CCE-27316-9 
136 ····-·NIST-800-53-CM-7 
137 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29248"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory 
138 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: 
139 <pre>$·sudo·chmod·700·/var/log/httpd/</pre> 
140 This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker 
141 to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
142 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 97 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
143 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software98 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
144 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. 
145 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious 
146 targets·of·network·attack. 
147 Ensure·that·systems·are·not·running·MTAs·unnecessarily, 
148 and·configure·needed·MTAs·as·defensively·as·possible. 
149 <br><br> 
150 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the 
151 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email 
152 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. 
153 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, 
154 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. 
155 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
156 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
157 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
158 <br><br> 
159 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software 
160 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. 
161 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by 
162 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. 
163 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients 
164 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only 
165 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29520"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening 
166 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following 
167 <code>inet_interfaces</code>·line·appears: 
168 <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages 
169 (such·as·cron·job·reports)·from·the·local·system·only, 
170 and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
171 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
172 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed"·id="guide-tree-leaf-idm29612"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_sendmail_removed">Uninstall·Sendmail·Package 
173 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_sendmail_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Sendmail·is·not·the·default·mail·transfer·agent·and·is 
174 not·installed·by·default. 
  
175 ········The·<code>sendmail</code>·package·can·be·removed·with·the·following·command: 
176 ········<pre>$·sudo·yum·erase·sendmail</pre></p><span·class="label·label-primary">Rationale:</span><p>The·sendmail·software·was·not·developed·with·security·in·mind·and 
177 its·design·prevents·it·from·being·effectively·contained·by·SELinux.··Postfix 
178 should·be·used·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
179 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
180 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50472r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29621">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29621"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
181 #99 #
182 #·Example·Call(s):100 #·Example·Call(s):
183 #101 #
184 #·····package_remove·telnet-server102 #·····service_command·enable·bluetooth
 103 #·····service_command·disable·bluetooth.service
Max diff block lines reached; 1505603/1536600 bytes (97.98%) of diff not shown.
255 KB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-default.html
    
Offset 56, 89 lines modifiedOffset 56, 44 lines modified
56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·S[·...·truncated·by·diffoscope;·len:·1394,·SHA:·f9605989138a055136c42bc085f02de0147473f760d936bba4f0446adaf588d9·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li[·...·truncated·by·diffoscope;·len:·1394,·SHA:·9a1bfb5c7765341b73597905fe9f3f980e67a77f0272acdc04afd633558c2516·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
74 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft74 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
75 Windows·systems.·There·are·two·software·packages·that·provide75 that·passwords·and·other·data·transmitted·during·the·session·can·be
76 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of76 captured·and·that·the·session·is·vulnerable·to·hijacking.
77 command·line·tools·that·enable·a·client·system·to·access·Samba77 Therefore,·running·the·FTP·server·software·is·not·recommended.
78 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba78 <br><br>
79 service.·It·is·this·second·package·that·allows·a·Linux·system·to79 However,·there·are·some·FTP·server·configurations·which·may
80 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a80 be·appropriate·for·some·environments,·particularly·those·which
81 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by81 allow·only·read-only·anonymous·access·as·a·means·of·downloading
82 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible82 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
84 will·remain·disabled.·Do·not·enable·this·service·unless·it·is84 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
85 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print85 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP
86 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary86 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in87 do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an
88 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a88 identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
89 <code>[global]</code>·configuration·section·and·a·series·of·user89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and
90 created·share·definition·sections·meant·to·describe·file·or·print90 set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
91 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode91 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
92 and·allow·client·systems·to·access·local·home·directories·and92 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server
93 printers.·It·is·recommended·that·these·settings·be·changed·or·that 
94 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_disable_printing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_disable_printing">Restrict·Printer·Sharing 
95 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_disable_printing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·Samba·utilizes·the·CUPS·printing·service·to·enable 
96 printer·sharing·with·Microsoft·Windows·workstations.·If·there·are·no·printers 
97 on·the·local·system,·or·if·printer·sharing·with·Microsoft·Windows·is·not 
98 required,·disable·the·printer·sharing·capability·by·commenting·out·the 
99 following·lines,·found·in·<code>/etc/samba/smb.conf</code>: 
100 <pre>[global] 
101 ··load·printers·=·yes 
102 ··cups·options·=·raw 
103 [printers] 
104 ··comment·=·All·Printers 
105 ··path·=·/usr/spool/samba 
106 ··browseable·=·no 
107 ··guest·ok·=·no 
108 ··writable·=·no 
109 ··printable·=·yes</pre> 
110 There·may·be·other·options·present,·but·these·are·the·only·options·enabled·and 
111 uncommented·by·default.·Removing·the·<code>[printers]</code>·share·should·be·enough 
112 for·most·users.··If·the·Samba·printer·sharing·capability·is·needed,·consider 
113 disabling·the·Samba·network·browsing·capability·or·restricting·access·to·a 
114 particular·set·of·users·or·network·addresses.·Set·the·<code>valid·users</code> 
115 parameter·to·a·small·subset·of·users·or·restrict·it·to·a·particular·group·of 
116 users·with·the·shorthand·<code>@</code>.·Separate·each·user·or·group·of·users·with 
117 a·space.·For·example,·under·the·<code>[printers]</code>·share: 
118 <pre>[printers] 
119 ··valid·users·=·user·@printerusers</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">Restrict·SMB·File·Sharing·to·Configured·Networks 
120 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Only·users·with·local·user·accounts·will·be·able·to·log·in·to 
121 Samba·shares·by·default.·Shares·can·be·limited·to·particular·users·or·network 
122 addresses.·Use·the·<code>hosts·allow</code>·and·<code>hosts·deny</code>·directives 
123 accordingly,·and·consider·setting·the·valid·users·directive·to·a·limited·subset 
124 of·users·or·to·a·group·of·users.·Separate·each·address,·user,·or·user·group 
125 with·a·space·as·follows·for·a·particular·<i>share</i>·or·global: 
126 <pre>[<i>share</i>] 
127 ··hosts·allow·=·192.168.1.·127.0.0.1 
128 ··valid·users·=·userone·usertwo·@usergroup</pre> 
129 It·is·also·possible·to·limit·read·and·write·access·to·particular·users·with·the 
130 read·list·and·write·list·options,·though·the·permissions·set·by·the·system 
131 itself·will·override·these·settings.·Set·the·read·only·attribute·for·each·share 
132 to·ensure·that·global·settings·will·not·accidentally·override·the·individual 
133 share·settings.·Then,·as·with·the·valid·users·directive,·separate·each·user·or 
134 group·of·users·with·a·space: 
135 <pre>[<i>share</i>] 
136 ··read·only·=·yes 
137 ··write·list·=·userone·usertwo·@usergroup</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server 
138 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to93 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to
139 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant94 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant
140 security·risk·because:95 security·risk·because:
141 <br><br>96 <br><br>
142 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long97 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long
143 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive98 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive
144 monitoring</li></ul>99 monitoring</li></ul>
Offset 351, 165 lines modifiedOffset 306, 179 lines modified
351 <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration306 <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration
352 <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery)307 <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery)
353 <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization308 <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization
354 <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies309 <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies
355 <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting310 <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting
356 <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul>311 <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul>
357 Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk312 Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk
358 by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software313 by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server
359 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network.314 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at
360 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious315 least·one·nameserver.·However,·there·are·many·common·attacks
361 targets·of·network·attack.316 involving·DNS·server·software,·and·this·server·software·should
362 Ensure·that·systems·are·not·running·MTAs·unnecessarily,317 be·disabled·on·any·system
363 and·configure·needed·MTAs·as·defensively·as·possible.318 on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services
364 <br><br>319 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server
365 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the320 from·interfering·with·other·services.·This·is·done·both·to·protect·the
366 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email321 remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct
367 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3.322 attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail
368 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email,323 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package:
369 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator.324 <pre>$·sudo·yum·install·bind-chroot</pre>
370 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from325 Place·a·valid·named.conf·file·inside·the·chroot·jail:
371 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account),326 <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf
372 but·the·system·still·cannot·receive·mail·directly·over·a·network.327 $·sudo·chown·root:root·/var/named/chroot/etc/named.conf
373 <br><br>328 $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre>
374 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software329 Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the
375 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred.330 options·directive.·If·your·<code>named.conf</code>·includes:
376 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by331 <pre>options·{
377 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions.332 directory·"/path/to/DIRNAME·";
378 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients333 ...
379 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only334 }</pre>
380 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_harden_os"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_harden_os"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_harden_os">Configure·Operating·System·to·Protect·Mail·Server335 then·copy·that·directory·and·its·contents·from·the·original·zone·directory:
381 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_harden_os">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·guidance·in·this·section·is·appropriate·for·any·host·which·is336 <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre>
382 operating·as·a·site·MTA,·whether·the·mail·server·runs·using·Sendmail,·Postfix,337 Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>:
383 or·some·other·software.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs">Configure·SSL·Certificates·for·Use·with·SMTP·AUTH338 <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers
384 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·SMTP·AUTH·is·to·be·used,·the·use·of·SSL·to·protect·credentials·in·transit·is·strongly·recommended.339 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is
385 There·are·also·configurations·for·which·it·may·be·desirable·to·encrypt·all·mail·in·transit·from·one·MTA·to·another,340 a·high-risk·service·which·must·frequently·be·made·available·to·the·entire
386 though·such·configurations·are·beyond·the·scope·of·this·guide.·In·either·event,·the·steps·for·creating·and·installing341 Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by
387 an·SSL·certificate·are·independent·of·the·MTA·in·use,·and·are·described·here.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_install_ssl_cert"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"><td·style="padding-left:·95px"><h3·id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert">Ensure·Security·of·Postfix·SSL·Certificate342 machines·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack
Max diff block lines reached; 198673/261263 bytes (76.04%) of diff not shown.
1.52 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-desktop.html
    
Offset 57, 45 lines modifiedOffset 57, 45 lines modified
57 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in57 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
61 quality,·reliability,·or·any·other·characteristic.61 quality,·reliability,·or·any·other·characteristic.
62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
63 ····························(as·of·2018-07-26)63 ····························(as·of·2018-07-26)
64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·1034,·SHA:·985d77cbb1354040badea5ab3b500f53cf1a38fb7eaccb8d6cd1d71f33e9ba4b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1034,·SHA:·1b10be6148833f42610be20bd7d90e370d8d04968a079fa39af8874411e4f268·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
74 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft74 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
75 Windows·systems.·There·are·two·software·packages·that·provide75 that·passwords·and·other·data·transmitted·during·the·session·can·be
76 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of76 captured·and·that·the·session·is·vulnerable·to·hijacking.
77 command·line·tools·that·enable·a·client·system·to·access·Samba77 Therefore,·running·the·FTP·server·software·is·not·recommended.
78 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba78 <br><br>
79 service.·It·is·this·second·package·that·allows·a·Linux·system·to79 However,·there·are·some·FTP·server·configurations·which·may
80 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a80 be·appropriate·for·some·environments,·particularly·those·which
81 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by81 allow·only·read-only·anonymous·access·as·a·means·of·downloading
82 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible82 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
84 will·remain·disabled.·Do·not·enable·this·service·unless·it·is84 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
85 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print85 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
86 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba 
87 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> 
88 ············86 ············
89 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:87 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
90 ········<pre>$·sudo·chkconfig·smb·off</pre>88 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
91 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·a·Samba·server·provides·a·network-based·avenue·of·attack,·and89 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
92 should·be·disabled·if·not·needed.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 90 of·attack,·and·should·be·disabled·if·not·needed.
 91 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 92 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
94 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29005">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29005"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.94 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
95 #95 #
96 #·Example·Call(s):96 #·Example·Call(s):
97 #97 #
98 #·····service_command·enable·bluetooth98 #·····service_command·enable·bluetooth
99 #·····service_command·disable·bluetooth.service99 #·····service_command·disable·bluetooth.service
100 #100 #
101 #·····Using·xinetd:101 #·····Using·xinetd:
Offset 162, 124 lines modifiedOffset 162, 123 lines modified
162 ··else162 ··else
163 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd163 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
164 ··fi164 ··fi
165 fi165 fi
  
166 }166 }
  
167 service_command·disable·smb167 service_command·disable·vsftpd
168 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29007">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29007"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·smb168 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd
169 ··service:169 ··service:
170 ····name="{{item}}"170 ····name="{{item}}"
171 ····enabled="no"171 ····enabled="no"
172 ····state="stopped"172 ····state="stopped"
173 ··register:·service_result173 ··register:·service_result
174 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"174 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
175 ··with_items:175 ··with_items:
176 ····-·smb176 ····-·vsftpd
177 ··tags:177 ··tags:
178 ····-·service_smb_disabled178 ····-·service_vsftpd_disabled
179 ····-·unknown_severity179 ····-·unknown_severity
180 ····-·disable_strategy180 ····-·disable_strategy
181 ····-·low_complexity181 ····-·low_complexity
182 ····-·low_disruption182 ····-·low_disruption
183 ····-·CCE-27143-7183 ····-·CCE-26948-0
184 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary184 ····-·NIST-800-53-CM-7
185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in185 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
186 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a186 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
187 <code>[global]</code>·configuration·section·and·a·series·of·user187 ············
188 created·share·definition·sections·meant·to·describe·file·or·print188 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
189 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode189 ········<pre>$·sudo·yum·erase·vsftpd</pre>
190 and·allow·client·systems·to·access·local·home·directories·and190 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
191 printers.·It·is·recommended·that·these·settings·be·changed·or·that191 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
192 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient 
193 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
194 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
195 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
196 <pre>client·signing·=·mandatory</pre> 
197 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
198 signing·ensures·they·can 
199 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
200 man-in-the-middle·attacks·which·modify·SMB·packets·in 
201 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
202 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 192 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
203 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><pre><code>######################################################################193 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
204 #By·Luke·"Brisk-OH"·Brisk194 #
205 #luke.brisk@boeing.com·or·luke.brisk@gmail.com195 #·Example·Call(s):
206 ######################################################################196 #
 197 #·····package_remove·telnet-server
 198 #
 199 function·package_remove·{
  
207 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)200 #·Load·function·arguments·into·local·variables
 201 local·package="$1"
  
208 if·[·"$CLIENTSIGNING"·-eq·0·];··then202 #·Check·sanity·of·the·input
209 »       #·Add·to·global·section203 if·[·$#·-ne·"1"·]
210 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf204 then
 205 ··echo·"Usage:·package_remove·'package_name'"
 206 ··echo·"Aborting."
 207 ··exit·1
 208 fi
  
 209 if·which·dnf·;·then
 210 ··if·rpm·-q·--quiet·"$package";·then
 211 ····dnf·remove·-y·"$package"
 212 ··fi
 213 elif·which·yum·;·then
 214 ··if·rpm·-q·--quiet·"$package";·then
 215 ····yum·remove·-y·"$package"
 216 ··fi
 217 elif·which·apt-get·;·then
 218 ··apt-get·remove·-y·"$package"
211 else219 else
212 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf220 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 221 ··echo·"Aborting."
 222 ··exit·1
213 fi223 fi
214 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29087">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29087"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists 
215 ··stat: 
Max diff block lines reached; 1564541/1590328 bytes (98.38%) of diff not shown.
1.48 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-fisma-medium-rhel6-server.html
    
Offset 56, 15 lines modifiedOffset 56, 15 lines modified
56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·[·...·truncated·by·diffoscope;·len:·81,·SHA:·e40bd79f1fd9eb150f341bd639fb375c20752df2c72fcb82d1b970a8a17b24d7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·81,·SHA:·4c0efd7fd5ff299a2185037a736930f562109fd8f8ac833d06c44618aa2adc79·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 91, 15 lines modifiedOffset 91, 15 lines modified
91 <br><br>91 <br><br>
92 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP92 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP
93 servers,·and·the·remainder·obtaining·time·information·from·those93 servers,·and·the·remainder·obtaining·time·information·from·those
94 internal·servers.94 internal·servers.
95 <br><br>95 <br><br>
96 More·information·on·how·to·configure·the·NTP·server·software,96 More·information·on·how·to·configure·the·NTP·server·software,
97 including·configuration·of·cryptographic·authentication·for97 including·configuration·of·cryptographic·authentication·for
98 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29885"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon98 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29833"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon
99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
100 ··········100 ··········
101 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:101 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
102 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>102 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>
103 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>103 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>
104 service·will·be·running·and·that·the·system·will·synchronize·its·time·to104 service·will·be·running·and·that·the·system·will·synchronize·its·time·to
105 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be105 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be
Offset 108, 15 lines modifiedOffset 108, 15 lines modified
108 services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate108 services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate
109 logs·and·auditing·possible·security·breaches.··109 logs·and·auditing·possible·security·breaches.··
110 <br><br>110 <br><br>
111 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·111 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·
112 deprecated.··Additional·information·on·this·is·available·at·112 deprecated.··Additional·information·on·this·is·available·at·
113 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 113 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
114 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 114 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
115 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29902">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29902"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.115 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29850">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29850"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
116 #116 #
117 #·Example·Call(s):117 #·Example·Call(s):
118 #118 #
119 #·····service_command·enable·bluetooth119 #·····service_command·enable·bluetooth
120 #·····service_command·disable·bluetooth.service120 #·····service_command·disable·bluetooth.service
121 #121 #
122 #·····Using·xinetd:122 #·····Using·xinetd:
Offset 184, 15 lines modifiedOffset 184, 15 lines modified
184 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd184 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
185 ··fi185 ··fi
186 fi186 fi
  
187 }187 }
  
188 service_command·enable·ntpd188 service_command·enable·ntpd
189 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29904">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29904"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd189 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29852">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29852"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd
190 ··service:190 ··service:
191 ····name="{{item}}"191 ····name="{{item}}"
192 ····enabled="yes"192 ····enabled="yes"
193 ····state="started"193 ····state="started"
194 ··with_items:194 ··with_items:
195 ····-·ntpd195 ····-·ntpd
196 ··tags:196 ··tags:
Offset 201, 35 lines modifiedOffset 201, 248 lines modified
201 ····-·enable_strategy201 ····-·enable_strategy
202 ····-·low_complexity202 ····-·low_complexity
203 ····-·low_disruption203 ····-·low_disruption
204 ····-·CCE-27093-4204 ····-·CCE-27093-4
205 ····-·NIST-800-53-AU-8(1)205 ····-·NIST-800-53-AU-8(1)
206 ····-·PCI-DSS-Req-10.4206 ····-·PCI-DSS-Req-10.4
207 ····-·DISA-STIG-RHEL-06-000247207 ····-·DISA-STIG-RHEL-06-000247
208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29909"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29857"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers
209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization
210 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the210 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the
211 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for211 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for
212 <em>ntpserver</em>:212 <em>ntpserver</em>:
213 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of213 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of
214 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes214 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes
215 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for215 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for
216 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 216 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
217 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 217 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
218 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29921"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server218 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29869"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server
219 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit219 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit
220 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,220 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,
221 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:221 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:
222 <pre>server·<i>ntpserver</i></pre>222 <pre>server·<i>ntpserver</i></pre>
223 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time223 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time
224 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible224 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible
225 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with225 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with
226 real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 226 real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
227 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 227 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
228 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services228 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons
 229 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to
 230 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost
 231 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or
 232 may·not·be·required·on·a·given·system.·Both·daemons·should·be
 233 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm30082"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service
 234 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at
 235 preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary
 236 maintenance·tasks,·such·as·notifying·root·of·system·activity.
  
 237 ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command:
 238 ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks,
 239 enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 240 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 241 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm30092">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30092"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 242 #
 243 #·Example·Call(s):
 244 #
 245 #·····service_command·enable·bluetooth
 246 #·····service_command·disable·bluetooth.service
 247 #
 248 #·····Using·xinetd:
 249 #·····service_command·disable·rsh.socket·xinetd=rsh
 250 #
 251 function·service_command·{
  
 252 #·Load·function·arguments·into·local·variables
 253 local·service_state=$1
 254 local·service=$2
 255 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 256 #·Check·sanity·of·the·input
 257 if·[·$#·-lt·"2"·]
 258 then
 259 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 260 ··echo
Max diff block lines reached; 1517700/1549513 bytes (97.95%) of diff not shown.
1.36 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-ftp-server.html
    
Offset 56, 23 lines modifiedOffset 56, 140 lines modified
56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="[·...·truncated·by·diffoscope;·len:·734,·SHA:·1f08c4e9f3a384d6ec4b26a81613c923ba42116513facbf12303cf00da55fab1·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="[·...·truncated·by·diffoscope;·len:·734,·SHA:·25c03cfca8c8e7566953764cd9421d66561e88aec462809a5f7eec462db2bd40·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
 72 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
 73 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
 74 that·passwords·and·other·data·transmitted·during·the·session·can·be
 75 captured·and·that·the·session·is·vulnerable·to·hijacking.
 76 Therefore,·running·the·FTP·server·software·is·not·recommended.
 77 <br><br>
 78 However,·there·are·some·FTP·server·configurations·which·may
 79 be·appropriate·for·some·environments,·particularly·those·which
 80 allow·only·read-only·anonymous·access·as·a·means·of·downloading
 81 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
 82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
 83 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
 84 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP
 85 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to
 86 do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an
 87 identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm29002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible
 88 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than
 89 using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option:
 90 <pre>local_enable=NO</pre>
 91 If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure
 92 these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 94 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition"·id="guide-tree-leaf-idm29038"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_home_partition">Place·the·FTP·Home·Directory·on·its·Own·Partition
 95 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can
 96 be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent
 97 these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 98 ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions
 99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
 100 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
 101 <pre>xferlog_enable=YES
 102 xferlog_std_format=NO
 103 log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to
 104 the·FTP·server·are·logged·using·the·verbose·vsftpd·log
 105 format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 106 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 107 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·id="guide-tree-leaf-idm29056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads">Disable·FTP·Uploads·if·Possible
 108 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not,
 109 edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options:
 110 <pre>write_enable=NO</pre>
 111 If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions
 112 as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less
 113 common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it
 114 is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 115 ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29063"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users
 116 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 117 by·default.·Add·or·correct·the·following·configuration·options:
 118 <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 119 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 120 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
 121 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and
 122 set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package
 123 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels.
 124 <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security
 125 and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 126 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 127 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 128 #
 129 #·Example·Call(s):
 130 #
 131 #·····package_install·aide
 132 #
 133 function·package_install·{
  
 134 #·Load·function·arguments·into·local·variables
 135 local·package="$1"
  
 136 #·Check·sanity·of·the·input
 137 if·[·$#·-ne·"1"·]
 138 then
 139 ··echo·"Usage:·package_install·'package_name'"
 140 ··echo·"Aborting."
 141 ··exit·1
 142 fi
  
 143 if·which·dnf·;·then
 144 ··if·!·rpm·-q·--quiet·"$package";·then
 145 ····dnf·install·-y·"$package"
 146 ··fi
 147 elif·which·yum·;·then
 148 ··if·!·rpm·-q·--quiet·"$package";·then
 149 ····yum·install·-y·"$package"
 150 ··fi
 151 elif·which·apt-get·;·then
 152 ··apt-get·install·-y·"$package"
 153 else
 154 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 155 ··echo·"Aborting."
 156 ··exit·1
 157 fi
  
 158 }
  
 159 package_install·vsftpd
 160 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·installed
 161 ··package:
 162 ····name="{{item}}"
 163 ····state=present
 164 ··with_items:
 165 ····-·vsftpd
 166 ··tags:
 167 ····-·package_vsftpd_installed
 168 ····-·unknown_severity
 169 ····-·enable_strategy
 170 ····-·low_complexity
 171 ····-·low_disruption
 172 ····-·CCE-27187-4
 173 ····-·NIST-800-53-CM-7
 174 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29089">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29089"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_vsftpd
  
 175 class·install_vsftpd·{
 176 ··package·{·'vsftpd':
Max diff block lines reached; 1399001/1424881 bytes (98.18%) of diff not shown.
1.91 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-nist-CL-IL-AL.html
    
Offset 61, 125 lines modifiedOffset 61, 125 lines modified
61 this·guide·without·first·testing·them·in·a·non-operational·environment.·The61 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
62 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by62 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
63 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its63 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
64 quality,·reliability,·or·any·other·characteristic.64 quality,·reliability,·or·any·other·characteristic.
65 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat·65 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat·
66 Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>66 Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
67 ····························(as·of·2018-07-26)67 ····························(as·of·2018-07-26)
68 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org[·...·truncated·by·diffoscope;·len:·879,·SHA:·21ff6503618adec4c4c9c4a0ed6e669d5b889b87c0da4727c50ebdf28eb0b4ae·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services68 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org[·...·truncated·by·diffoscope;·len:·879,·SHA:·a9e3098c4894efb85e37b60670bbc0450483217500119b1f1ca43a0e1222a6a3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
70 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It70 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
71 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which71 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
72 ones·can·be·safely·disabled.72 ones·can·be·safely·disabled.
73 <br><br>73 <br><br>
74 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional74 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
75 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up75 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
76 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server76 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
78 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft78 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
79 Windows·systems.·There·are·two·software·packages·that·provide79 that·passwords·and·other·data·transmitted·during·the·session·can·be
80 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of80 captured·and·that·the·session·is·vulnerable·to·hijacking.
81 command·line·tools·that·enable·a·client·system·to·access·Samba81 Therefore,·running·the·FTP·server·software·is·not·recommended.
82 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba82 <br><br>
83 service.·It·is·this·second·package·that·allows·a·Linux·system·to83 However,·there·are·some·FTP·server·configurations·which·may
84 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a84 be·appropriate·for·some·environments,·particularly·those·which
85 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by85 allow·only·read-only·anonymous·access·as·a·means·of·downloading
86 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary86 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
88 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a88 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
89 <code>[global]</code>·configuration·section·and·a·series·of·user89 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
90 created·share·definition·sections·meant·to·describe·file·or·print90 ············
91 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode91 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
92 and·allow·client·systems·to·access·local·home·directories·and92 ········<pre>$·sudo·yum·erase·vsftpd</pre>
93 printers.·It·is·recommended·that·these·settings·be·changed·or·that93 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
94 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient94 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
95 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
96 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
97 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
98 <pre>client·signing·=·mandatory</pre> 
99 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
100 signing·ensures·they·can 
101 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
102 man-in-the-middle·attacks·which·modify·SMB·packets·in 
103 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
104 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 95 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
105 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><pre><code>######################################################################96 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
106 #By·Luke·"Brisk-OH"·Brisk97 #
107 #luke.brisk@boeing.com·or·luke.brisk@gmail.com98 #·Example·Call(s):
108 ######################################################################99 #
 100 #·····package_remove·telnet-server
 101 #
 102 function·package_remove·{
  
109 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)103 #·Load·function·arguments·into·local·variables
 104 local·package="$1"
  
110 if·[·"$CLIENTSIGNING"·-eq·0·];··then105 #·Check·sanity·of·the·input
111 »       #·Add·to·global·section106 if·[·$#·-ne·"1"·]
112 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf107 then
 108 ··echo·"Usage:·package_remove·'package_name'"
 109 ··echo·"Aborting."
 110 ··exit·1
 111 fi
  
 112 if·which·dnf·;·then
 113 ··if·rpm·-q·--quiet·"$package";·then
 114 ····dnf·remove·-y·"$package"
 115 ··fi
 116 elif·which·yum·;·then
 117 ··if·rpm·-q·--quiet·"$package";·then
 118 ····yum·remove·-y·"$package"
 119 ··fi
 120 elif·which·apt-get·;·then
 121 ··apt-get·remove·-y·"$package"
113 else122 else
114 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf123 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 124 ··echo·"Aborting."
 125 ··exit·1
115 fi126 fi
116 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29087">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29087"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists 
117 ··stat: 
118 ····path:·/etc/samba/smb.conf 
119 ··register:·st_smb 
120 ··tags: 
121 ····-·require_smb_client_signing 
122 ····-·unknown_severity 
123 ····-·configure_strategy 
124 ····-·low_complexity 
125 ····-·medium_disruption 
126 ····-·CCE-26328-5 
127 ····-·DISA-STIG-RHEL-06-000272 
  
128 -·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient127 }
129 ··lineinfile: 
130 ····dest:·/etc/samba/smb.conf128 package_remove·vsftpd
131 ····line:·client·signing·=·mandatory129 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29121">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29121"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed
132 ····state:·present130 ··package:
133 ····insertafter:·[global]131 ····name="{{item}}"
134 ··when:·st_smb.stat.exists132 ····state=absent
 133 ··with_items:
 134 ····-·vsftpd
135 ··tags:135 ··tags:
136 ····-·require_smb_client_signing136 ····-·package_vsftpd_removed
137 ····-·unknown_severity137 ····-·unknown_severity
138 ····-·configure_strategy138 ····-·disable_strategy
139 ····-·low_complexity139 ····-·low_complexity
140 ····-·medium_disruption140 ····-·low_disruption
141 ····-·CCE-26328-5141 ····-·CCE-26687-4
142 ····-·DISA-STIG-RHEL-06-000272142 ····-·NIST-800-53-CM-7
143 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29092"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs143 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29122">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29122"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd
144 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba 
145 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares144 class·remove_vsftpd·{
146 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either145 ··package·{·'vsftpd':
147 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.146 ····ensure·=&gt;·'purged',
148 <br><br>147 ··}
149 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba148 }
150 client·should·only·communicate·with·servers·who·can·support·SMB149 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
151 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle150 package·--remove=vsftpd
152 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 151 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server
153 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
154 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server 
155 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to152 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to
156 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant153 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant
157 security·risk·because:154 security·risk·because:
158 <br><br>155 <br><br>
159 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long156 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long
160 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive157 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive
161 monitoring</li></ul>158 monitoring</li></ul>
Max diff block lines reached; 1979883/2003624 bytes (98.82%) of diff not shown.
770 KB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-pci-dss.html
    
Offset 56, 15 lines modifiedOffset 56, 15 lines modified
56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 91, 15 lines modifiedOffset 91, 15 lines modified
91 <br><br>91 <br><br>
92 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP92 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP
93 servers,·and·the·remainder·obtaining·time·information·from·those93 servers,·and·the·remainder·obtaining·time·information·from·those
94 internal·servers.94 internal·servers.
95 <br><br>95 <br><br>
96 More·information·on·how·to·configure·the·NTP·server·software,96 More·information·on·how·to·configure·the·NTP·server·software,
97 including·configuration·of·cryptographic·authentication·for97 including·configuration·of·cryptographic·authentication·for
98 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29885"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon98 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29833"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon
99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
100 ··········100 ··········
101 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:101 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
102 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>102 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>
103 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>103 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>
104 service·will·be·running·and·that·the·system·will·synchronize·its·time·to104 service·will·be·running·and·that·the·system·will·synchronize·its·time·to
105 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be105 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be
Offset 108, 15 lines modifiedOffset 108, 15 lines modified
108 services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate108 services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate
109 logs·and·auditing·possible·security·breaches.··109 logs·and·auditing·possible·security·breaches.··
110 <br><br>110 <br><br>
111 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·111 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·
112 deprecated.··Additional·information·on·this·is·available·at·112 deprecated.··Additional·information·on·this·is·available·at·
113 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 113 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
114 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 114 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
115 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29902">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29902"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.115 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29850">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29850"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
116 #116 #
117 #·Example·Call(s):117 #·Example·Call(s):
118 #118 #
119 #·····service_command·enable·bluetooth119 #·····service_command·enable·bluetooth
120 #·····service_command·disable·bluetooth.service120 #·····service_command·disable·bluetooth.service
121 #121 #
122 #·····Using·xinetd:122 #·····Using·xinetd:
Offset 184, 15 lines modifiedOffset 184, 15 lines modified
184 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd184 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
185 ··fi185 ··fi
186 fi186 fi
  
187 }187 }
  
188 service_command·enable·ntpd188 service_command·enable·ntpd
189 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29904">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29904"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd189 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29852">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29852"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd
190 ··service:190 ··service:
191 ····name="{{item}}"191 ····name="{{item}}"
192 ····enabled="yes"192 ····enabled="yes"
193 ····state="started"193 ····state="started"
194 ··with_items:194 ··with_items:
195 ····-·ntpd195 ····-·ntpd
196 ··tags:196 ··tags:
Offset 201, 25 lines modifiedOffset 201, 25 lines modified
201 ····-·enable_strategy201 ····-·enable_strategy
202 ····-·low_complexity202 ····-·low_complexity
203 ····-·low_disruption203 ····-·low_disruption
204 ····-·CCE-27093-4204 ····-·CCE-27093-4
205 ····-·NIST-800-53-AU-8(1)205 ····-·NIST-800-53-AU-8(1)
206 ····-·PCI-DSS-Req-10.4206 ····-·PCI-DSS-Req-10.4
207 ····-·DISA-STIG-RHEL-06-000247207 ····-·DISA-STIG-RHEL-06-000247
208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29909"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29857"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers
209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization
210 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the210 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the
211 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for211 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for
212 <em>ntpserver</em>:212 <em>ntpserver</em>:
213 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of213 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of
214 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes214 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes
215 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for215 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for
216 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 216 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
217 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 217 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
218 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29921"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server218 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29869"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server
219 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit219 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit
220 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,220 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,
221 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:221 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:
222 <pre>server·<i>ntpserver</i></pre>222 <pre>server·<i>ntpserver</i></pre>
223 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time223 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time
224 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible224 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible
225 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with225 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with
Offset 234, 15 lines modifiedOffset 234, 15 lines modified
234 detailed·documentation·is·available·from·its·website,234 detailed·documentation·is·available·from·its·website,
235 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and235 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and
236 provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary236 provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary
237 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then237 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
238 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration238 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
239 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be239 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
240 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more240 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
241 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31315"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval241 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31839"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
242 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout242 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout
243 interval.243 interval.
244 After·this·interval·has·passed,·the·idle·user·will·be244 After·this·interval·has·passed,·the·idle·user·will·be
245 automatically·logged·out.245 automatically·logged·out.
246 <br><br>246 <br><br>
247 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as247 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
248 follows:248 follows:
Offset 253, 23 lines modifiedOffset 253, 23 lines modified
253 If·a·shorter·timeout·has·already·been·set·for·the·login253 If·a·shorter·timeout·has·already·been·set·for·the·login
254 shell,·that·value·will·preempt·any·SSH254 shell,·that·value·will·preempt·any·SSH
255 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH255 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
256 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out256 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out
257 guards·against·compromises·one·system·leading·trivially257 guards·against·compromises·one·system·leading·trivially
258 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 258 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
259 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 259 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
260 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm31336">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31336"><pre><code>260 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm31860">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31860"><pre><code>
261 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"261 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"
  
262 grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&amp;&amp;·\262 grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&amp;&amp;·\
263 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config263 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config
264 if·!·[·$?·-eq·0·];·then264 if·!·[·$?·-eq·0·];·then
265 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·&gt;&gt;·/etc/ssh/sshd_config265 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·&gt;&gt;·/etc/ssh/sshd_config
266 fi266 fi
267 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm31338">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31338"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable267 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm31862">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31862"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable
268 ··set_fact:268 ··set_fact:
269 ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>269 ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>
270 ··tags:270 ··tags:
271 ····-·always271 ····-·always
  
Max diff block lines reached; 764719/788466 bytes (96.99%) of diff not shown.
584 KB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-rht-ccp.html
    
Offset 56, 23 lines modifiedOffset 56, 135 lines modified
56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons
 72 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to
 73 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost
 74 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or
 75 may·not·be·required·on·a·given·system.·Both·daemons·should·be
 76 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm30099"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd)
 77 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to
 78 schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed
 79 execution·in·a·manner·similar·to·cron,·except·that·it·is·not
 80 recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via
 81 <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time.
  
 82 ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command:
 83 ········<pre>$·sudo·chkconfig·atd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry
 84 out·activities·outside·of·a·normal·login·session,·which·could·complicate
 85 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or
 86 <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 87 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 88 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50442r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm30117">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30117"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 89 #
 90 #·Example·Call(s):
 91 #
 92 #·····service_command·enable·bluetooth
 93 #·····service_command·disable·bluetooth.service
 94 #
 95 #·····Using·xinetd:
 96 #·····service_command·disable·rsh.socket·xinetd=rsh
 97 #
 98 function·service_command·{
  
 99 #·Load·function·arguments·into·local·variables
 100 local·service_state=$1
 101 local·service=$2
 102 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 103 #·Check·sanity·of·the·input
 104 if·[·$#·-lt·"2"·]
 105 then
 106 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 107 ··echo
 108 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 109 ··echo·"as·the·last·argument"··
 110 ··echo·"Aborting."
 111 ··exit·1
 112 fi
  
 113 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 114 if·[·-f·"/usr/bin/systemctl"·]·;·then
 115 ··service_util="/usr/bin/systemctl"
 116 else
 117 ··service_util="/sbin/service"
 118 ··chkconfig_util="/sbin/chkconfig"
 119 fi
  
 120 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 121 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 122 if·[·"$service_state"·!=·'disable'·]·;·then
 123 ··service_state="enable"
 124 ··service_operation="start"
 125 ··chkconfig_state="on"
 126 else
 127 ··service_state="disable"
 128 ··service_operation="stop"
 129 ··chkconfig_state="off"
 130 fi
  
 131 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 132 if·[·"x$chkconfig_util"·!=·x·]·;·then
 133 ··$service_util·$service·$service_operation
 134 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 135 else
 136 ··$service_util·$service_operation·$service
 137 ··$service_util·$service_state·$service
 138 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 139 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 140 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 141 ··$service_util·reset-failed·$service
 142 fi
  
 143 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 144 #·If·empty,·then·xinetd·is·not·being·used.
 145 if·[·"x$xinetd"·!=·x·]·;·then
 146 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&amp;&amp;·\
  
 147 ··if·[·"$service_operation"·=·'disable'·]·;·then
 148 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 149 ··else
 150 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 151 ··fi
 152 fi
  
 153 }
  
 154 service_command·disable·atd
 155 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm30119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd
 156 ··service:
 157 ····name="{{item}}"
 158 ····enabled="no"
 159 ····state="stopped"
 160 ··register:·service_result
 161 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 162 ··with_items:
 163 ····-·atd
 164 ··tags:
 165 ····-·service_atd_disabled
 166 ····-·unknown_severity
 167 ····-·disable_strategy
 168 ····-·low_complexity
 169 ····-·low_disruption
 170 ····-·CCE-27249-2
 171 ····-·NIST-800-53-CM-7
 172 ····-·DISA-STIG-RHEL-06-000262
Max diff block lines reached; 582581/597516 bytes (97.50%) of diff not shown.
1.33 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-server.html
    
Offset 57, 15 lines modifiedOffset 57, 15 lines modified
57 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in57 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
61 quality,·reliability,·or·any·other·characteristic.61 quality,·reliability,·or·any·other·characteristic.
62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
63 ····························(as·of·2018-07-26)63 ····························(as·of·2018-07-26)
64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·hr[·...·truncated·by·diffoscope;·len:·550,·SHA:·748c39ab5de3bdcff786e6f881c51adf65720558ef8b4fcaee9c7b52390b8bab·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·550,·SHA:·57496307fa97d1728004b56852784b91d9d3fe09769ff2b07f1473882fcbec47·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 83, 39 lines modifiedOffset 83, 39 lines modified
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in
84 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a84 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a
85 <code>[global]</code>·configuration·section·and·a·series·of·user85 <code>[global]</code>·configuration·section·and·a·series·of·user
86 created·share·definition·sections·meant·to·describe·file·or·print86 created·share·definition·sections·meant·to·describe·file·or·print
87 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode87 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode
88 and·allow·client·systems·to·access·local·home·directories·and88 and·allow·client·systems·to·access·local·home·directories·and
89 printers.·It·is·recommended·that·these·settings·be·changed·or·that89 printers.·It·is·recommended·that·these·settings·be·changed·or·that
90 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient90 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29692"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient
91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use
92 packet·signing,·add·the·following·to·the·<code>[global]</code>·section92 packet·signing,·add·the·following·to·the·<code>[global]</code>·section
93 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:93 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:
94 <pre>client·signing·=·mandatory</pre>94 <pre>client·signing·=·mandatory</pre>
95 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet95 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet
96 signing·ensures·they·can96 signing·ensures·they·can
97 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent97 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent
98 man-in-the-middle·attacks·which·modify·SMB·packets·in98 man-in-the-middle·attacks·which·modify·SMB·packets·in
99 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 99 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
100 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 100 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
101 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><pre><code>######################################################################101 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29703">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29703"><pre><code>######################################################################
102 #By·Luke·"Brisk-OH"·Brisk102 #By·Luke·"Brisk-OH"·Brisk
103 #luke.brisk@boeing.com·or·luke.brisk@gmail.com103 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
104 ######################################################################104 ######################################################################
  
105 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)105 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
106 if·[·"$CLIENTSIGNING"·-eq·0·];··then106 if·[·"$CLIENTSIGNING"·-eq·0·];··then
107 »       #·Add·to·global·section107 »       #·Add·to·global·section
108 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf108 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
109 else109 else
110 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf110 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
111 fi111 fi
112 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29087">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29087"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists112 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29704">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29704"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists
113 ··stat:113 ··stat:
114 ····path:·/etc/samba/smb.conf114 ····path:·/etc/samba/smb.conf
115 ··register:·st_smb115 ··register:·st_smb
116 ··tags:116 ··tags:
117 ····-·require_smb_client_signing117 ····-·require_smb_client_signing
118 ····-·unknown_severity118 ····-·unknown_severity
119 ····-·configure_strategy119 ····-·configure_strategy
Offset 135, 84 lines modifiedOffset 135, 26 lines modified
135 ····-·require_smb_client_signing135 ····-·require_smb_client_signing
136 ····-·unknown_severity136 ····-·unknown_severity
137 ····-·configure_strategy137 ····-·configure_strategy
138 ····-·low_complexity138 ····-·low_complexity
139 ····-·medium_disruption139 ····-·medium_disruption
140 ····-·CCE-26328-5140 ····-·CCE-26328-5
141 ····-·DISA-STIG-RHEL-06-000272141 ····-·DISA-STIG-RHEL-06-000272
142 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29092"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs142 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29709"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs
143 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba143 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba
144 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares144 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares
145 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either145 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either
146 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.146 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.
147 <br><br>147 <br><br>
148 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba148 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba
149 client·should·only·communicate·with·servers·who·can·support·SMB149 client·should·only·communicate·with·servers·who·can·support·SMB
150 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle150 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle
151 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 151 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
152 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 152 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
153 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software153 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol
154 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. 
155 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious 
156 targets·of·network·attack. 
157 Ensure·that·systems·are·not·running·MTAs·unnecessarily, 
158 and·configure·needed·MTAs·as·defensively·as·possible. 
159 <br><br> 
160 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the 
161 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email 
162 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. 
163 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, 
164 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. 
165 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
166 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
167 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
168 <br><br> 
169 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software 
170 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. 
171 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by 
172 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. 
173 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients 
174 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only 
175 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29520"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening 
176 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following 
177 <code>inet_interfaces</code>·line·appears: 
178 <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages 
179 (such·as·cron·job·reports)·from·the·local·system·only, 
180 and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
181 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
182 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP 
183 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows 
184 systems·to·request·and·obtain·an·IP·address·and·other·configuration 
185 parameters·from·a·server. 
186 <br><br> 
187 This·guide·recommends·configuring·networking·on·clients·by·manually·editing 
188 the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· 
189 systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· 
190 unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· 
191 that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client 
192 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system 
193 installer,·and·common·on·many·networks.·Nevertheless,·manual·management 
194 of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and 
195 accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29749"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client 
196 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit 
197 <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the 
198 following·changes: 
199 <ul><li>·Correct·the·BOOTPROTO·line·to·read: 
200 <pre>BOOTPROTO=none</pre> 
201 </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate 
202 values·based·on·your·site's·addressing·scheme: 
203 <pre>NETMASK=255.255.255.0 
204 IPADDR=192.168.1.2 
205 GATEWAY=192.168.1.1</pre> 
Max diff block lines reached; 1363993/1390438 bytes (98.10%) of diff not shown.
1.3 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-standard.html
    
Offset 58, 15 lines modifiedOffset 58, 15 lines modified
58 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in58 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
59 this·guide·without·first·testing·them·in·a·non-operational·environment.·The59 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
60 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by60 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
61 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its61 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
62 quality,·reliability,·or·any·other·characteristic.62 quality,·reliability,·or·any·other·characteristic.
63 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>63 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
64 ····························(as·of·2018-07-26)64 ····························(as·of·2018-07-26)
65 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configurati[·...·truncated·by·diffoscope;·len:·399,·SHA:·1813fbd08a6360a58cd44dfebbfd1c4e92674f9a178928b14bc1a2a28d09f72e·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services65 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li>[·...·truncated·by·diffoscope;·len:·399,·SHA:·fbfb410e2703115c5bde514edad124bef19a840feb775eacf478f7e80a5206c7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
66 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review66 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
67 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It67 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
68 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which68 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
69 ones·can·be·safely·disabled.69 ones·can·be·safely·disabled.
70 <br><br>70 <br><br>
71 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional71 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
72 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up72 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 84, 39 lines modifiedOffset 84, 39 lines modified
84 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in84 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in
85 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a85 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a
86 <code>[global]</code>·configuration·section·and·a·series·of·user86 <code>[global]</code>·configuration·section·and·a·series·of·user
87 created·share·definition·sections·meant·to·describe·file·or·print87 created·share·definition·sections·meant·to·describe·file·or·print
88 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode88 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode
89 and·allow·client·systems·to·access·local·home·directories·and89 and·allow·client·systems·to·access·local·home·directories·and
90 printers.·It·is·recommended·that·these·settings·be·changed·or·that90 printers.·It·is·recommended·that·these·settings·be·changed·or·that
91 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient91 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29692"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient
92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use
93 packet·signing,·add·the·following·to·the·<code>[global]</code>·section93 packet·signing,·add·the·following·to·the·<code>[global]</code>·section
94 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:94 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:
95 <pre>client·signing·=·mandatory</pre>95 <pre>client·signing·=·mandatory</pre>
96 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet96 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet
97 signing·ensures·they·can97 signing·ensures·they·can
98 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent98 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent
99 man-in-the-middle·attacks·which·modify·SMB·packets·in99 man-in-the-middle·attacks·which·modify·SMB·packets·in
100 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 100 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
101 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 101 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
102 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><pre><code>######################################################################102 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29703">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29703"><pre><code>######################################################################
103 #By·Luke·"Brisk-OH"·Brisk103 #By·Luke·"Brisk-OH"·Brisk
104 #luke.brisk@boeing.com·or·luke.brisk@gmail.com104 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
105 ######################################################################105 ######################################################################
  
106 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)106 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
107 if·[·"$CLIENTSIGNING"·-eq·0·];··then107 if·[·"$CLIENTSIGNING"·-eq·0·];··then
108 »       #·Add·to·global·section108 »       #·Add·to·global·section
109 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf109 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
110 else110 else
111 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf111 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
112 fi112 fi
113 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29087">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29087"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists113 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29704">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29704"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists
114 ··stat:114 ··stat:
115 ····path:·/etc/samba/smb.conf115 ····path:·/etc/samba/smb.conf
116 ··register:·st_smb116 ··register:·st_smb
117 ··tags:117 ··tags:
118 ····-·require_smb_client_signing118 ····-·require_smb_client_signing
119 ····-·unknown_severity119 ····-·unknown_severity
120 ····-·configure_strategy120 ····-·configure_strategy
Offset 136, 55 lines modifiedOffset 136, 26 lines modified
136 ····-·require_smb_client_signing136 ····-·require_smb_client_signing
137 ····-·unknown_severity137 ····-·unknown_severity
138 ····-·configure_strategy138 ····-·configure_strategy
139 ····-·low_complexity139 ····-·low_complexity
140 ····-·medium_disruption140 ····-·medium_disruption
141 ····-·CCE-26328-5141 ····-·CCE-26328-5
142 ····-·DISA-STIG-RHEL-06-000272142 ····-·DISA-STIG-RHEL-06-000272
143 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29092"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs143 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29709"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs
144 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba144 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba
145 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares145 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares
146 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either146 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either
147 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.147 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.
148 <br><br>148 <br><br>
149 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba149 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba
150 client·should·only·communicate·with·servers·who·can·support·SMB150 client·should·only·communicate·with·servers·who·can·support·SMB
151 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle151 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle
152 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 152 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
153 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 153 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
154 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software154 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol
155 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. 
156 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious 
157 targets·of·network·attack. 
158 Ensure·that·systems·are·not·running·MTAs·unnecessarily, 
159 and·configure·needed·MTAs·as·defensively·as·possible. 
160 <br><br> 
161 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the 
162 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email 
163 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. 
164 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, 
165 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. 
166 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
167 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
168 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
169 <br><br> 
170 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software 
171 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. 
172 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by 
173 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. 
174 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients 
175 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only 
176 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29520"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening 
177 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following 
178 <code>inet_interfaces</code>·line·appears: 
179 <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages 
180 (such·as·cron·job·reports)·from·the·local·system·only, 
181 and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
182 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
183 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol 
184 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system155 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system
185 clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so156 clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so
186 time·will·drift·unpredictably·on·unmanaged·systems.·Central·time157 time·will·drift·unpredictably·on·unmanaged·systems.·Central·time
187 protocols·can·be·used·both·to·ensure·that·time·is·consistent·among158 protocols·can·be·used·both·to·ensure·that·time·is·consistent·among
188 a·network·of·systems,·and·that·their·time·is·consistent·with·the159 a·network·of·systems,·and·that·their·time·is·consistent·with·the
189 outside·world.160 outside·world.
190 <br><br>161 <br><br>
Offset 203, 15 lines modifiedOffset 174, 15 lines modified
203 <br><br>174 <br><br>
204 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP175 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP
205 servers,·and·the·remainder·obtaining·time·information·from·those176 servers,·and·the·remainder·obtaining·time·information·from·those
206 internal·servers.177 internal·servers.
207 <br><br>178 <br><br>
208 More·information·on·how·to·configure·the·NTP·server·software,179 More·information·on·how·to·configure·the·NTP·server·software,
209 including·configuration·of·cryptographic·authentication·for180 including·configuration·of·cryptographic·authentication·for
210 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29885"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon181 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29833"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon
211 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>182 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
212 ··········183 ··········
213 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:184 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
214 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>185 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>
215 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>186 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>
216 service·will·be·running·and·that·the·system·will·synchronize·its·time·to187 service·will·be·running·and·that·the·system·will·synchronize·its·time·to
217 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be188 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be
Max diff block lines reached; 1337116/1361560 bytes (98.20%) of diff not shown.
1.76 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-stig-rhel6-disa.html
    
Offset 63, 23 lines modifiedOffset 63, 50 lines modified
63 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in63 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
64 this·guide·without·first·testing·them·in·a·non-operational·environment.·The64 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
65 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by65 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
66 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its66 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
67 quality,·reliability,·or·any·other·characteristic.67 quality,·reliability,·or·any·other·characteristic.
68 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>68 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
69 ····························(as·of·2018-07-26)69 ····························(as·of·2018-07-26)
70 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·910,·SHA:·9e31603d0e18b438741d26a5b46e138f2525272b0385c20d476cc1c15adf8af1·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services70 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xc[·...·truncated·by·diffoscope;·len:·910,·SHA:·dfe52403ca27039c6fd60778f9cb46d9343b9cfec43f048aeacec9a362dd7410·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
71 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review71 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
72 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It72 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
73 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which73 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
74 ones·can·be·safely·disabled.74 ones·can·be·safely·disabled.
75 <br><br>75 <br><br>
76 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional76 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
77 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up77 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
78 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server78 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
 79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
 80 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
 81 that·passwords·and·other·data·transmitted·during·the·session·can·be
 82 captured·and·that·the·session·is·vulnerable·to·hijacking.
 83 Therefore,·running·the·FTP·server·software·is·not·recommended.
 84 <br><br>
 85 However,·there·are·some·FTP·server·configurations·which·may
 86 be·appropriate·for·some·environments,·particularly·those·which
 87 allow·only·read-only·anonymous·access·as·a·means·of·downloading
 88 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
 89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
 90 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
 91 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions
 92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
 93 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
 94 <pre>xferlog_enable=YES
 95 xferlog_std_format=NO
 96 log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to
 97 the·FTP·server·are·logged·using·the·verbose·vsftpd·log
 98 format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 99 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 100 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29063"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users
 101 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 102 by·default.·Add·or·correct·the·following·configuration·options:
 103 <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 104 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 105 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server
79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows106 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows
80 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft107 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft
81 Windows·systems.·There·are·two·software·packages·that·provide108 Windows·systems.·There·are·two·software·packages·that·provide
82 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of109 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of
83 command·line·tools·that·enable·a·client·system·to·access·Samba110 command·line·tools·that·enable·a·client·system·to·access·Samba
84 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba111 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba
85 service.·It·is·this·second·package·that·allows·a·Linux·system·to112 service.·It·is·this·second·package·that·allows·a·Linux·system·to
Offset 89, 39 lines modifiedOffset 116, 39 lines modified
89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in116 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in
90 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a117 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a
91 <code>[global]</code>·configuration·section·and·a·series·of·user118 <code>[global]</code>·configuration·section·and·a·series·of·user
92 created·share·definition·sections·meant·to·describe·file·or·print119 created·share·definition·sections·meant·to·describe·file·or·print
93 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode120 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode
94 and·allow·client·systems·to·access·local·home·directories·and121 and·allow·client·systems·to·access·local·home·directories·and
95 printers.·It·is·recommended·that·these·settings·be·changed·or·that122 printers.·It·is·recommended·that·these·settings·be·changed·or·that
96 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient123 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29692"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient
97 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use124 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use
98 packet·signing,·add·the·following·to·the·<code>[global]</code>·section125 packet·signing,·add·the·following·to·the·<code>[global]</code>·section
99 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:126 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:
100 <pre>client·signing·=·mandatory</pre>127 <pre>client·signing·=·mandatory</pre>
101 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet128 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet
102 signing·ensures·they·can129 signing·ensures·they·can
103 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent130 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent
104 man-in-the-middle·attacks·which·modify·SMB·packets·in131 man-in-the-middle·attacks·which·modify·SMB·packets·in
105 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 132 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
106 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 133 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
107 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><pre><code>######################################################################134 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29703">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29703"><pre><code>######################################################################
108 #By·Luke·"Brisk-OH"·Brisk135 #By·Luke·"Brisk-OH"·Brisk
109 #luke.brisk@boeing.com·or·luke.brisk@gmail.com136 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
110 ######################################################################137 ######################################################################
  
111 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)138 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
112 if·[·"$CLIENTSIGNING"·-eq·0·];··then139 if·[·"$CLIENTSIGNING"·-eq·0·];··then
113 »       #·Add·to·global·section140 »       #·Add·to·global·section
114 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf141 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
115 else142 else
116 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf143 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
117 fi144 fi
118 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29087">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29087"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists145 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29704">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29704"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists
119 ··stat:146 ··stat:
120 ····path:·/etc/samba/smb.conf147 ····path:·/etc/samba/smb.conf
121 ··register:·st_smb148 ··register:·st_smb
122 ··tags:149 ··tags:
123 ····-·require_smb_client_signing150 ····-·require_smb_client_signing
124 ····-·unknown_severity151 ····-·unknown_severity
125 ····-·configure_strategy152 ····-·configure_strategy
Offset 141, 71 lines modifiedOffset 168, 191 lines modified
141 ····-·require_smb_client_signing168 ····-·require_smb_client_signing
142 ····-·unknown_severity169 ····-·unknown_severity
143 ····-·configure_strategy170 ····-·configure_strategy
144 ····-·low_complexity171 ····-·low_complexity
145 ····-·medium_disruption172 ····-·medium_disruption
146 ····-·CCE-26328-5173 ····-·CCE-26328-5
147 ····-·DISA-STIG-RHEL-06-000272174 ····-·DISA-STIG-RHEL-06-000272
148 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29092"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs175 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29709"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs
149 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba176 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba
150 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares177 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares
151 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either178 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either
152 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.179 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.
153 <br><br>180 <br><br>
154 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba181 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba
155 client·should·only·communicate·with·servers·who·can·support·SMB182 client·should·only·communicate·with·servers·who·can·support·SMB
156 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle183 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle
157 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 184 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
158 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 185 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
159 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software186 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol
160 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network.187 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system
161 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious188 clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so
162 targets·of·network·attack.189 time·will·drift·unpredictably·on·unmanaged·systems.·Central·time
163 Ensure·that·systems·are·not·running·MTAs·unnecessarily,190 protocols·can·be·used·both·to·ensure·that·time·is·consistent·among
164 and·configure·needed·MTAs·as·defensively·as·possible.191 a·network·of·systems,·and·that·their·time·is·consistent·with·the
 192 outside·world.
165 <br><br>193 <br><br>
166 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the194 If·every·system·on·a·network·reliably·reports·the·same·time,·then·it·is·much
167 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email195 easier·to·correlate·log·messages·in·case·of·an·attack.·In·addition,·a·number·of
168 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3.196 cryptographic·protocols·(such·as·Kerberos)·use·timestamps·to·prevent·certain
169 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email,197 types·of·attacks.·If·your·network·does·not·have·synchronized·time,·these
170 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator.198 protocols·may·be·unreliable·or·even·unusable.
171 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
172 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
173 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
174 <br><br>199 <br><br>
175 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software200 Depending·on·the·specifics·of·the·network,·global·time·accuracy·may·be·just·as
Max diff block lines reached; 1809627/1843863 bytes (98.14%) of diff not shown.
1.65 MB
./usr/share/doc/ssg-nondebian/ssg-centos6-guide-usgcb-rhel6-server.html
    
Offset 57, 45 lines modifiedOffset 57, 45 lines modified
57 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in57 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
61 quality,·reliability,·or·any·other·characteristic.61 quality,·reliability,·or·any·other·characteristic.
62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
63 ····························(as·of·2018-07-26)63 ····························(as·of·2018-07-26)
64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·1135,·SHA:·fa1f688fecfd327721db14768693baf620a8eed48e56a9c84b2b1d81c622771a·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1135,·SHA:·21de240d343fbd223cf68c70c59d884c3ee65c2748e12911430648c71044dd8d·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
74 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft74 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
75 Windows·systems.·There·are·two·software·packages·that·provide75 that·passwords·and·other·data·transmitted·during·the·session·can·be
76 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of76 captured·and·that·the·session·is·vulnerable·to·hijacking.
77 command·line·tools·that·enable·a·client·system·to·access·Samba77 Therefore,·running·the·FTP·server·software·is·not·recommended.
78 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba78 <br><br>
79 service.·It·is·this·second·package·that·allows·a·Linux·system·to79 However,·there·are·some·FTP·server·configurations·which·may
80 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a80 be·appropriate·for·some·environments,·particularly·those·which
81 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by81 allow·only·read-only·anonymous·access·as·a·means·of·downloading
82 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible82 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
84 will·remain·disabled.·Do·not·enable·this·service·unless·it·is84 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
85 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print85 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
86 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba 
87 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> 
88 ············86 ············
89 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:87 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
90 ········<pre>$·sudo·chkconfig·smb·off</pre>88 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
91 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·a·Samba·server·provides·a·network-based·avenue·of·attack,·and89 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
92 should·be·disabled·if·not·needed.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 90 of·attack,·and·should·be·disabled·if·not·needed.
 91 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 92 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
94 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29005">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29005"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.94 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
95 #95 #
96 #·Example·Call(s):96 #·Example·Call(s):
97 #97 #
98 #·····service_command·enable·bluetooth98 #·····service_command·enable·bluetooth
99 #·····service_command·disable·bluetooth.service99 #·····service_command·disable·bluetooth.service
100 #100 #
101 #·····Using·xinetd:101 #·····Using·xinetd:
Offset 162, 124 lines modifiedOffset 162, 123 lines modified
162 ··else162 ··else
163 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd163 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
164 ··fi164 ··fi
165 fi165 fi
  
166 }166 }
  
167 service_command·disable·smb167 service_command·disable·vsftpd
168 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29007">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29007"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·smb168 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd
169 ··service:169 ··service:
170 ····name="{{item}}"170 ····name="{{item}}"
171 ····enabled="no"171 ····enabled="no"
172 ····state="stopped"172 ····state="stopped"
173 ··register:·service_result173 ··register:·service_result
174 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"174 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
175 ··with_items:175 ··with_items:
176 ····-·smb176 ····-·vsftpd
177 ··tags:177 ··tags:
178 ····-·service_smb_disabled178 ····-·service_vsftpd_disabled
179 ····-·unknown_severity179 ····-·unknown_severity
180 ····-·disable_strategy180 ····-·disable_strategy
181 ····-·low_complexity181 ····-·low_complexity
182 ····-·low_disruption182 ····-·low_disruption
183 ····-·CCE-27143-7183 ····-·CCE-26948-0
184 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary184 ····-·NIST-800-53-CM-7
185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in185 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29111"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
186 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a186 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
187 <code>[global]</code>·configuration·section·and·a·series·of·user187 ············
188 created·share·definition·sections·meant·to·describe·file·or·print188 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
189 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode189 ········<pre>$·sudo·yum·erase·vsftpd</pre>
190 and·allow·client·systems·to·access·local·home·directories·and190 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
191 printers.·It·is·recommended·that·these·settings·be·changed·or·that191 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
192 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29075"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient 
193 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
194 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
195 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
196 <pre>client·signing·=·mandatory</pre> 
197 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
198 signing·ensures·they·can 
199 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
200 man-in-the-middle·attacks·which·modify·SMB·packets·in 
201 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
202 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 192 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
203 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29086">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29086"><pre><code>######################################################################193 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29119">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29119"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
204 #By·Luke·"Brisk-OH"·Brisk194 #
205 #luke.brisk@boeing.com·or·luke.brisk@gmail.com195 #·Example·Call(s):
206 ######################################################################196 #
 197 #·····package_remove·telnet-server
 198 #
 199 function·package_remove·{
  
207 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)200 #·Load·function·arguments·into·local·variables
 201 local·package="$1"
  
208 if·[·"$CLIENTSIGNING"·-eq·0·];··then202 #·Check·sanity·of·the·input
209 »       #·Add·to·global·section203 if·[·$#·-ne·"1"·]
210 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf204 then
 205 ··echo·"Usage:·package_remove·'package_name'"
 206 ··echo·"Aborting."
 207 ··exit·1
 208 fi
  
 209 if·which·dnf·;·then
 210 ··if·rpm·-q·--quiet·"$package";·then
 211 ····dnf·remove·-y·"$package"
 212 ··fi
 213 elif·which·yum·;·then
 214 ··if·rpm·-q·--quiet·"$package";·then
 215 ····yum·remove·-y·"$package"
 216 ··fi
 217 elif·which·apt-get·;·then
 218 ··apt-get·remove·-y·"$package"
211 else219 else
212 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf220 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 221 ··echo·"Aborting."
 222 ··exit·1
213 fi223 fi
214 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29087">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29087"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists 
215 ··stat: 
Max diff block lines reached; 1705539/1731578 bytes (98.50%) of diff not shown.
1020 KB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-C2S.html
    
Offset 66, 15 lines modifiedOffset 66, 15 lines modified
66 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in66 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
67 this·guide·without·first·testing·them·in·a·non-operational·environment.·The67 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
68 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by68 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
69 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its69 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
70 quality,·reliability,·or·any·other·characteristic.70 quality,·reliability,·or·any·other·characteristic.
71 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>71 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
72 ····························(as·of·2018-07-26)72 ····························(as·of·2018-07-26)
73 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.c[·...·truncated·by·diffoscope;·len:·39,·SHA:·9fa1eff42ec8317736e4e9e4a39edaacb764d06e868832c02f95c6f4d064aaef·...·]</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"><small>contains·213·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services73 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·39,·SHA:·71531d2cb5e45bf87276058ffe0a5eac9722a5944d366562dfd03b1cc8832d7f·...·]</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"><small>contains·213·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
75 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It75 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It
76 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which76 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which
77 ones·can·be·safely·disabled.77 ones·can·be·safely·disabled.
78 <br><br>78 <br><br>
79 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional79 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
80 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up80 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 92, 24 lines modifiedOffset 92, 24 lines modified
92 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict92 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
93 the·service·as·much·as·possible,·for·instance·by·configuring·host93 the·service·as·much·as·possible,·for·instance·by·configuring·host
94 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the94 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
95 vulnerable·service·to·only·those·remote·hosts·which·have·a·known95 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
96 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec96 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
97 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which97 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
98 allow·cleartext·remote·access·and·have·an·insecure·trust98 allow·cleartext·remote·access·and·have·an·insecure·trust
99 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm36017"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package99 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
100 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands100 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
101 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have101 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
102 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,102 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
103 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from103 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
104 inadvertently·attempting·to·use·these·commands·and·therefore·exposing104 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
105 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes105 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
106 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 106 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
107 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 107 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
108 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36040"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.108 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
109 #109 #
110 #·Example·Call(s):110 #·Example·Call(s):
111 #111 #
112 #·····package_remove·telnet-server112 #·····package_remove·telnet-server
113 #113 #
114 function·package_remove·{114 function·package_remove·{
  
Offset 139, 62 lines modifiedOffset 139, 62 lines modified
139 ··echo·"Aborting."139 ··echo·"Aborting."
140 ··exit·1140 ··exit·1
141 fi141 fi
  
142 }142 }
  
143 package_remove·rsh143 package_remove·rsh
144 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36042">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36042"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed144 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36019">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36019"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
145 ··package:145 ··package:
146 ····name="{{item}}"146 ····name="{{item}}"
147 ····state=absent147 ····state=absent
148 ··with_items:148 ··with_items:
149 ····-·rsh149 ····-·rsh
150 ··tags:150 ··tags:
151 ····-·package_rsh_removed151 ····-·package_rsh_removed
152 ····-·unknown_severity152 ····-·unknown_severity
153 ····-·disable_strategy153 ····-·disable_strategy
154 ····-·low_complexity154 ····-·low_complexity
155 ····-·low_disruption155 ····-·low_disruption
156 ····-·CCE-27274-0156 ····-·CCE-27274-0
157 ····-·NIST-800-171-3.1.13157 ····-·NIST-800-171-3.1.13
158 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36043">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36043"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh158 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
159 class·remove_rsh·{159 class·remove_rsh·{
160 ··package·{·'rsh':160 ··package·{·'rsh':
161 ····ensure·=&gt;·'purged',161 ····ensure·=&gt;·'purged',
162 ··}162 ··}
163 }163 }
164 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36044">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36044"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>164 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
165 package·--remove=rsh165 package·--remove=rsh
166 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36049"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service166 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36026"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
167 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with167 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
168 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately168 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
169 as·a·systemd·socket,·should·be·disabled.169 as·a·systemd·socket,·should·be·disabled.
170 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.170 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
171 If·using·systemd,·171 If·using·systemd,·
172 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:172 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
173 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which173 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
174 means·that·data·from·the·login·session,·including·passwords·and174 means·that·data·from·the·login·session,·including·passwords·and
175 all·other·information·transmitted·during·the·session,·can·be175 all·other·information·transmitted·during·the·session,·can·be
176 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 176 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
177 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 177 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
178 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36073">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36073"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\178 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36050">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36050"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
179 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin179 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
180 #180 #
181 #·Disable·rlogin.socket·for·all·systemd·targets181 #·Disable·rlogin.socket·for·all·systemd·targets
182 #182 #
183 systemctl·disable·rlogin.socket183 systemctl·disable·rlogin.socket
  
184 #184 #
185 #·Stop·rlogin.socket·if·currently·running185 #·Stop·rlogin.socket·if·currently·running
186 #186 #
187 systemctl·stop·rlogin.socket187 systemctl·stop·rlogin.socket
188 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36074">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36074"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin188 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36051">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36051"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
189 ··service:189 ··service:
190 ····name="{{item}}"190 ····name="{{item}}"
191 ····enabled="no"191 ····enabled="no"
192 ····state="stopped"192 ····state="stopped"
193 ··register:·service_result193 ··register:·service_result
194 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"194 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
195 ··with_items:195 ··with_items:
Offset 207, 39 lines modifiedOffset 207, 39 lines modified
207 ····-·low_disruption207 ····-·low_disruption
208 ····-·CCE-27336-7208 ····-·CCE-27336-7
209 ····-·NIST-800-53-AC-17(8)209 ····-·NIST-800-53-AC-17(8)
210 ····-·NIST-800-53-CM-7210 ····-·NIST-800-53-CM-7
211 ····-·NIST-800-53-IA-5(1)(c)211 ····-·NIST-800-53-IA-5(1)(c)
212 ····-·NIST-800-171-3.1.13212 ····-·NIST-800-171-3.1.13
213 ····-·NIST-800-171-3.4.7213 ····-·NIST-800-171-3.4.7
214 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service214 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
215 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with215 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
216 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately216 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
217 as·a·systemd·socket,·should·be·disabled.217 as·a·systemd·socket,·should·be·disabled.
218 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·218 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
219 If·using·systemd,·219 If·using·systemd,·
220 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:220 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
221 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which221 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
222 means·that·data·from·the·login·session,·including·passwords·and222 means·that·data·from·the·login·session,·including·passwords·and
223 all·other·information·transmitted·during·the·session,·can·be223 all·other·information·transmitted·during·the·session,·can·be
224 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 224 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
225 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 225 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
226 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36103">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36103"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\226 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36080">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36080"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
227 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec227 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
228 #228 #
Max diff block lines reached; 1006940/1039960 bytes (96.82%) of diff not shown.
472 KB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-cjis.html
    
Offset 82, 26 lines modifiedOffset 82, 26 lines modified
82 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·82 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·
83 is·called·<code>sshd</code>·and·provided·by·the·RPM·package83 is·called·<code>sshd</code>·and·provided·by·the·RPM·package
84 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary84 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary
85 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then85 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
86 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration86 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
87 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be87 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
88 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more88 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
89 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39686"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords89 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39702"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords
90 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with90 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with
91 empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>:91 empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>:
92 <br>92 <br>
93 <pre>PermitEmptyPasswords·no</pre>93 <pre>PermitEmptyPasswords·no</pre>
94 <br>94 <br>
95 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration95 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration
96 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that96 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that
97 remote·login·via·SSH·will·require·a·password,·even·in·the·event·of·97 remote·login·via·SSH·will·require·a·password,·even·in·the·event·of·
98 misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 98 misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
100 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39711">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39711"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if100 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39727">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39727"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
101 #·it·does·not·exist.101 #·it·does·not·exist.
102 #102 #
103 #·Expects·arguments:103 #·Expects·arguments:
104 #104 #
105 #·config_file:»  »  Configuration·file·that·will·be·modified105 #·config_file:»  »  Configuration·file·that·will·be·modified
106 #·key:»  »  »  Configuration·option·to·change106 #·key:»  »  »  Configuration·option·to·change
107 #·value:»»Value·of·the·configuration·option·to·change107 #·value:»»Value·of·the·configuration·option·to·change
Offset 172, 15 lines modifiedOffset 172, 15 lines modified
172 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline172 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
173 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"173 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"
174 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"174 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"
175 ··fi175 ··fi
176 }176 }
  
177 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'177 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'
178 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39713">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39713"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Disable·SSH·Access·via·Empty·Passwords178 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39729">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39729"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Disable·SSH·Access·via·Empty·Passwords
179 ··lineinfile:179 ··lineinfile:
180 ····create:·yes180 ····create:·yes
181 ····dest:·/etc/ssh/sshd_config181 ····dest:·/etc/ssh/sshd_config
182 ····regexp:·^PermitEmptyPasswords182 ····regexp:·^PermitEmptyPasswords
183 ····line:·PermitEmptyPasswords·no183 ····line:·PermitEmptyPasswords·no
184 ····validate:·sshd·-t·-f·%s184 ····validate:·sshd·-t·-f·%s
185 ··tags:185 ··tags:
Offset 193, 21 lines modifiedOffset 193, 21 lines modified
193 ····-·NIST-800-53-AC-3193 ····-·NIST-800-53-AC-3
194 ····-·NIST-800-53-AC-6194 ····-·NIST-800-53-AC-6
195 ····-·NIST-800-53-CM-6(b)195 ····-·NIST-800-53-CM-6(b)
196 ····-·NIST-800-171-3.1.1196 ····-·NIST-800-171-3.1.1
197 ····-·NIST-800-171-3.1.5197 ····-·NIST-800-171-3.1.5
198 ····-·CJIS-5.5.6198 ····-·CJIS-5.5.6
199 ····-·DISA-STIG-RHEL-07-010300199 ····-·DISA-STIG-RHEL-07-010300
200 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm39719"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count200 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm39735"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
201 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,201 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
202 edit·<code>/etc/ssh/sshd_config</code>·as·follows:202 edit·<code>/etc/ssh/sshd_config</code>·as·follows:
203 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>203 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
204 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 204 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
205 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 205 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
206 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39744">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39744"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if206 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39760">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39760"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
207 #·it·does·not·exist.207 #·it·does·not·exist.
208 #208 #
209 #·Expects·arguments:209 #·Expects·arguments:
210 #210 #
211 #·config_file:»  »  Configuration·file·that·will·be·modified211 #·config_file:»  »  Configuration·file·that·will·be·modified
212 #·key:»  »  »  Configuration·option·to·change212 #·key:»  »  »  Configuration·option·to·change
213 #·value:»»Value·of·the·configuration·option·to·change213 #·value:»»Value·of·the·configuration·option·to·change
Offset 278, 15 lines modifiedOffset 278, 15 lines modified
278 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline278 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
279 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"279 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"
280 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"280 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"
281 ··fi281 ··fi
282 }282 }
  
283 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'283 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
284 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39746">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39746"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·SSH·Client·Alive·Count284 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39762">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39762"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·SSH·Client·Alive·Count
285 ··lineinfile:285 ··lineinfile:
286 ····create:·yes286 ····create:·yes
287 ····dest:·/etc/ssh/sshd_config287 ····dest:·/etc/ssh/sshd_config
288 ····regexp:·^ClientAliveCountMax288 ····regexp:·^ClientAliveCountMax
289 ····line:·ClientAliveCountMax·0289 ····line:·ClientAliveCountMax·0
290 ····validate:·sshd·-t·-f·%s290 ····validate:·sshd·-t·-f·%s
291 ··#notify:·restart·sshd291 ··#notify:·restart·sshd
Offset 299, 25 lines modifiedOffset 299, 35 lines modified
299 ····-·CCE-27082-7299 ····-·CCE-27082-7
300 ····-·NIST-800-53-AC-2(5)300 ····-·NIST-800-53-AC-2(5)
301 ····-·NIST-800-53-SA-8301 ····-·NIST-800-53-SA-8
302 ····-·NIST-800-53-AC-12302 ····-·NIST-800-53-AC-12
303 ····-·NIST-800-171-3.1.11303 ····-·NIST-800-171-3.1.11
304 ····-·CJIS-5.5.6304 ····-·CJIS-5.5.6
305 ····-·DISA-STIG-RHEL-07-040340305 ····-·DISA-STIG-RHEL-07-040340
306 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner"·id="guide-tree-leaf-idm39790"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner">Enable·SSH·Warning·Banner306 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39768"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
307 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·enable·the·warning·banner·and·ensure·it·is·consistent307 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout
308 across·the·system,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>:308 interval.
309 <pre>Banner·/etc/issue</pre>309 After·this·interval·has·passed,·the·idle·user·will·be
310 Another·section·contains·information·on·how·to·create·an310 automatically·logged·out.
311 appropriate·system-wide·warning·banner.</p><span·class="label·label-primary">Rationale:</span><p>The·warning·message·reinforces·policy·awareness·during·the·logon·process·and311 <br><br>
312 facilitates·possible·legal·action·against·attackers.·Alternatively,·systems312 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
313 whose·ownership·should·not·be·obvious·should·ensure·usage·of·a·banner·that·does313 follows:
314 not·provide·easy·attribution.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 314 <pre>ClientAliveInterval·<b>interval</b></pre>
315 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 315 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout
316 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86849r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.16</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000050</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001384</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001385</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001386</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001387</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001388</a>,·<a·href="https://[·...·truncated·by·diffoscope;·len:·1824,·SHA:·52454b1cb00c509085364eb233af831aec9d4bae50b4b7316e0c5317eb9a18c8·...·]316 of·10·minutes,·set·<b>interval</b>·to·600.
 317 <br><br>
 318 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·
 319 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
 320 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of
 321 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session
 322 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 323 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 324 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39793">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39793"><pre><code>
 325 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">1800</abbr>"
 326 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
317 #·it·does·not·exist.327 #·it·does·not·exist.
318 #328 #
319 #·Expects·arguments:329 #·Expects·arguments:
320 #330 #
321 #·config_file:»  »  Configuration·file·that·will·be·modified331 #·config_file:»  »  Configuration·file·that·will·be·modified
322 #·key:»  »  »  Configuration·option·to·change332 #·key:»  »  »  Configuration·option·to·change
323 #·value:»»Value·of·the·configuration·option·to·change333 #·value:»»Value·of·the·configuration·option·to·change
Offset 387, 45 lines modifiedOffset 397, 54 lines modified
387 ··else397 ··else
388 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline398 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
389 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"399 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"
390 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"400 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"
391 ··fi401 ··fi
392 }402 }
  
393 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'403 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
394 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39824">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39824"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Enable·SSH·Warning·Banner404 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39796">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39796"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable
 405 ··set_fact:
Max diff block lines reached; 456402/483650 bytes (94.37%) of diff not shown.
116 KB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-default.html
    
Offset 56, 27 lines modifiedOffset 56, 24 lines modified
56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>CentOS</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_docker">Docker·Service</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1045,·SHA:·427d41e93b9df052bf3dd439ca5d5079efd8e47dbd3fdf0310dd320bc63cc356·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:centos:centos:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·1045,·SHA:·34a457b90e6dfc8c26555d3cb2e11b5b3c1823d634243e7c52f3554b7bfc3eae·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are 
74 ··self-sufficient·and·self-contained·applications·using·the·resource 
75 ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services 
76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible
77 services·which·have·historically·caused·problems·for·system74 services·which·have·historically·caused·problems·for·system
78 security,·and·for·which·disabling·or·severely·limiting·the·service75 security,·and·for·which·disabling·or·severely·limiting·the·service
79 has·been·the·best·available·guidance·for·some·time.·As·a·result·of76 has·been·the·best·available·guidance·for·some·time.·As·a·result·of
80 this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·777 this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7
81 by·default.78 by·default.
82 <br><br>79 <br><br>
Offset 110, 15 lines modifiedOffset 107, 51 lines modified
110 found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd107 found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd
111 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some108 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some
112 network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access109 network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access
113 controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other110 controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other
114 features,·and·it·is·not·installed·by·default.·The·older·Inetd·service111 features,·and·it·is·not·installed·by·default.·The·older·Inetd·service
115 is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services112 is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services
116 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages113 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages
117 across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack114 across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server
 115 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not
 116 installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a>
 117 contains·more·detailed·information·about·Dovecot
 118 configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary
 119 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or
 120 POP3·server,·the·dovecot·software·should·be·configured·securely·by·following
 121 the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support
 122 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the·
 123 Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot·
 124 server·in·order·to·read·their·mail,·and·passwords·should·never·be·
 125 transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is·
 126 downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates·
 127 to·authenticate·the·server,·preventing·another·system·from·impersonating·
 128 the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server
 129 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound
 130 access·to·any·services.·This·modification·will·allow·remote·hosts·to
 131 initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports
 132 on·the·server·in·their·default·protected·state.
  
 133 ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s):
 134 ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and
 135 ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols
 136 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as·
 137 SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server·
 138 to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.·
 139 Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with·
 140 only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,·
 141 <code>pop3</code>,·<code>pop3s</code>)·required:
 142 <pre>protocols·=·PROTOCOL</pre>
 143 If·possible,·require·SSL·protection·for·all·transactions.·The·SSL·
 144 protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for·
 145 pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.·
 146 An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the·
 147 client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot
 148 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or
 149 POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack
118 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server150 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
119 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to151 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
120 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means152 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
121 that·passwords·and·other·data·transmitted·during·the·session·can·be153 that·passwords·and·other·data·transmitted·during·the·session·can·be
122 captured·and·that·the·session·is·vulnerable·to·hijacking.154 captured·and·that·the·session·is·vulnerable·to·hijacking.
123 Therefore,·running·the·FTP·server·software·is·not·recommended.155 Therefore,·running·the·FTP·server·software·is·not·recommended.
124 <br><br>156 <br><br>
Offset 874, 51 lines modifiedOffset 907, 18 lines modified
874 supersede·domain-name-servers·192.168.1.2;907 supersede·domain-name-servers·192.168.1.2;
875 supersede·nis-domain·"";908 supersede·nis-domain·"";
876 supersede·nis-servers·"";909 supersede·nis-servers·"";
877 supersede·ntp-servers·"ntp.example.com·";910 supersede·ntp-servers·"ntp.example.com·";
878 supersede·routers·192.168.1.1;911 supersede·routers·192.168.1.1;
879 supersede·time-offset·-18000;912 supersede·time-offset·-18000;
880 request·subnet-mask;913 request·subnet-mask;
881 require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server914 require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service
882 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not915 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are
883 installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a>916 ··self-sufficient·and·self-contained·applications·using·the·resource
884 contains·more·detailed·information·about·Dovecot917 ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC
885 configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary 
886 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or 
887 POP3·server,·the·dovecot·software·should·be·configured·securely·by·following 
888 the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support 
889 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· 
890 Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· 
891 server·in·order·to·read·their·mail,·and·passwords·should·never·be· 
892 transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· 
893 downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· 
894 to·authenticate·the·server,·preventing·another·system·from·impersonating· 
895 the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server 
896 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound 
897 access·to·any·services.·This·modification·will·allow·remote·hosts·to 
898 initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports 
899 on·the·server·in·their·default·protected·state. 
  
900 ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): 
901 ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and 
902 ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols 
903 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· 
904 SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· 
905 to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· 
906 Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· 
907 only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· 
908 <code>pop3</code>,·<code>pop3s</code>)·required: 
909 <pre>protocols·=·PROTOCOL</pre> 
910 If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· 
911 protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· 
912 pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· 
913 An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· 
914 client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot 
915 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or 
916 POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC 
917 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for918 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for
918 the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the919 the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the
919 circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies,920 circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies,
Max diff block lines reached; 84025/118662 bytes (70.81%) of diff not shown.
843 KB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-hipaa.html
    
Offset 90, 24 lines modifiedOffset 90, 24 lines modified
90 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict90 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
91 the·service·as·much·as·possible,·for·instance·by·configuring·host91 the·service·as·much·as·possible,·for·instance·by·configuring·host
92 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the92 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
93 vulnerable·service·to·only·those·remote·hosts·which·have·a·known93 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
94 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec94 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
95 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which95 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
96 allow·cleartext·remote·access·and·have·an·insecure·trust96 allow·cleartext·remote·access·and·have·an·insecure·trust
97 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm36017"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package97 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
99 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have99 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
100 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,100 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
101 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from101 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
102 inadvertently·attempting·to·use·these·commands·and·therefore·exposing102 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
103 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes103 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
104 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 104 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
105 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 105 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
106 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36040"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.106 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
107 #107 #
108 #·Example·Call(s):108 #·Example·Call(s):
109 #109 #
110 #·····package_remove·telnet-server110 #·····package_remove·telnet-server
111 #111 #
112 function·package_remove·{112 function·package_remove·{
  
Offset 137, 62 lines modifiedOffset 137, 62 lines modified
137 ··echo·"Aborting."137 ··echo·"Aborting."
138 ··exit·1138 ··exit·1
139 fi139 fi
  
140 }140 }
  
141 package_remove·rsh141 package_remove·rsh
142 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36042">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36042"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed142 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36019">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36019"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
143 ··package:143 ··package:
144 ····name="{{item}}"144 ····name="{{item}}"
145 ····state=absent145 ····state=absent
146 ··with_items:146 ··with_items:
147 ····-·rsh147 ····-·rsh
148 ··tags:148 ··tags:
149 ····-·package_rsh_removed149 ····-·package_rsh_removed
150 ····-·unknown_severity150 ····-·unknown_severity
151 ····-·disable_strategy151 ····-·disable_strategy
152 ····-·low_complexity152 ····-·low_complexity
153 ····-·low_disruption153 ····-·low_disruption
154 ····-·CCE-27274-0154 ····-·CCE-27274-0
155 ····-·NIST-800-171-3.1.13155 ····-·NIST-800-171-3.1.13
156 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36043">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36043"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh156 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
157 class·remove_rsh·{157 class·remove_rsh·{
158 ··package·{·'rsh':158 ··package·{·'rsh':
159 ····ensure·=&gt;·'purged',159 ····ensure·=&gt;·'purged',
160 ··}160 ··}
161 }161 }
162 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36044">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36044"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>162 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
163 package·--remove=rsh163 package·--remove=rsh
164 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36049"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service164 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36026"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
165 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with165 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
166 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately166 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
167 as·a·systemd·socket,·should·be·disabled.167 as·a·systemd·socket,·should·be·disabled.
168 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.168 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
169 If·using·systemd,·169 If·using·systemd,·
170 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:170 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
171 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which171 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
172 means·that·data·from·the·login·session,·including·passwords·and172 means·that·data·from·the·login·session,·including·passwords·and
173 all·other·information·transmitted·during·the·session,·can·be173 all·other·information·transmitted·during·the·session,·can·be
174 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 174 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
175 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 175 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
176 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36073">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36073"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\176 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36050">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36050"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
177 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin177 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
178 #178 #
179 #·Disable·rlogin.socket·for·all·systemd·targets179 #·Disable·rlogin.socket·for·all·systemd·targets
180 #180 #
181 systemctl·disable·rlogin.socket181 systemctl·disable·rlogin.socket
  
182 #182 #
183 #·Stop·rlogin.socket·if·currently·running183 #·Stop·rlogin.socket·if·currently·running
184 #184 #
185 systemctl·stop·rlogin.socket185 systemctl·stop·rlogin.socket
186 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36074">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36074"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin186 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36051">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36051"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
187 ··service:187 ··service:
188 ····name="{{item}}"188 ····name="{{item}}"
189 ····enabled="no"189 ····enabled="no"
190 ····state="stopped"190 ····state="stopped"
191 ··register:·service_result191 ··register:·service_result
192 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"192 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
193 ··with_items:193 ··with_items:
Offset 205, 39 lines modifiedOffset 205, 39 lines modified
205 ····-·low_disruption205 ····-·low_disruption
206 ····-·CCE-27336-7206 ····-·CCE-27336-7
207 ····-·NIST-800-53-AC-17(8)207 ····-·NIST-800-53-AC-17(8)
208 ····-·NIST-800-53-CM-7208 ····-·NIST-800-53-CM-7
209 ····-·NIST-800-53-IA-5(1)(c)209 ····-·NIST-800-53-IA-5(1)(c)
210 ····-·NIST-800-171-3.1.13210 ····-·NIST-800-171-3.1.13
211 ····-·NIST-800-171-3.4.7211 ····-·NIST-800-171-3.4.7
212 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service212 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
213 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with213 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
214 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately214 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
215 as·a·systemd·socket,·should·be·disabled.215 as·a·systemd·socket,·should·be·disabled.
216 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·216 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
217 If·using·systemd,·217 If·using·systemd,·
218 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:218 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
219 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which219 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
220 means·that·data·from·the·login·session,·including·passwords·and220 means·that·data·from·the·login·session,·including·passwords·and
221 all·other·information·transmitted·during·the·session,·can·be221 all·other·information·transmitted·during·the·session,·can·be
222 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 222 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
223 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 223 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
224 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36103">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36103"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\224 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36080">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36080"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
225 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec225 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
226 #226 #
227 #·Disable·rexec.socket·for·all·systemd·targets227 #·Disable·rexec.socket·for·all·systemd·targets
228 #228 #
229 systemctl·disable·rexec.socket229 systemctl·disable·rexec.socket
  
230 #230 #
231 #·Stop·rexec.socket·if·currently·running231 #·Stop·rexec.socket·if·currently·running
232 #232 #
233 systemctl·stop·rexec.socket233 systemctl·stop·rexec.socket
234 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec234 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36081">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36081"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec
235 ··service:235 ··service:
236 ····name="{{item}}"236 ····name="{{item}}"
237 ····enabled="no"237 ····enabled="no"
238 ····state="stopped"238 ····state="stopped"
239 ··register:·service_result239 ··register:·service_result
240 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"240 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
241 ··with_items:241 ··with_items:
Max diff block lines reached; 838078/863207 bytes (97.09%) of diff not shown.
1.61 MB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-nist-800-171-cui.html
    
Offset 98, 24 lines modifiedOffset 98, 24 lines modified
98 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict98 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
99 the·service·as·much·as·possible,·for·instance·by·configuring·host99 the·service·as·much·as·possible,·for·instance·by·configuring·host
100 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the100 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
101 vulnerable·service·to·only·those·remote·hosts·which·have·a·known101 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
102 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec102 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
103 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which103 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
104 allow·cleartext·remote·access·and·have·an·insecure·trust104 allow·cleartext·remote·access·and·have·an·insecure·trust
105 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm36017"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package105 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
106 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands106 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
107 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have107 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
108 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,108 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
109 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from109 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
110 inadvertently·attempting·to·use·these·commands·and·therefore·exposing110 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
111 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes111 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
112 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 112 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
113 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 113 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
114 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36040"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.114 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
115 #115 #
116 #·Example·Call(s):116 #·Example·Call(s):
117 #117 #
118 #·····package_remove·telnet-server118 #·····package_remove·telnet-server
119 #119 #
120 function·package_remove·{120 function·package_remove·{
  
Offset 145, 62 lines modifiedOffset 145, 62 lines modified
145 ··echo·"Aborting."145 ··echo·"Aborting."
146 ··exit·1146 ··exit·1
147 fi147 fi
  
148 }148 }
  
149 package_remove·rsh149 package_remove·rsh
150 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36042">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36042"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed150 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36019">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36019"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
151 ··package:151 ··package:
152 ····name="{{item}}"152 ····name="{{item}}"
153 ····state=absent153 ····state=absent
154 ··with_items:154 ··with_items:
155 ····-·rsh155 ····-·rsh
156 ··tags:156 ··tags:
157 ····-·package_rsh_removed157 ····-·package_rsh_removed
158 ····-·unknown_severity158 ····-·unknown_severity
159 ····-·disable_strategy159 ····-·disable_strategy
160 ····-·low_complexity160 ····-·low_complexity
161 ····-·low_disruption161 ····-·low_disruption
162 ····-·CCE-27274-0162 ····-·CCE-27274-0
163 ····-·NIST-800-171-3.1.13163 ····-·NIST-800-171-3.1.13
164 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36043">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36043"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh164 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
165 class·remove_rsh·{165 class·remove_rsh·{
166 ··package·{·'rsh':166 ··package·{·'rsh':
167 ····ensure·=&gt;·'purged',167 ····ensure·=&gt;·'purged',
168 ··}168 ··}
169 }169 }
170 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36044">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36044"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>170 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
171 package·--remove=rsh171 package·--remove=rsh
172 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36049"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service172 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36026"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
173 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with173 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
174 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately174 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
175 as·a·systemd·socket,·should·be·disabled.175 as·a·systemd·socket,·should·be·disabled.
176 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.176 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
177 If·using·systemd,·177 If·using·systemd,·
178 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:178 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
179 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which179 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
180 means·that·data·from·the·login·session,·including·passwords·and180 means·that·data·from·the·login·session,·including·passwords·and
181 all·other·information·transmitted·during·the·session,·can·be181 all·other·information·transmitted·during·the·session,·can·be
182 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 182 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
183 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 183 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
184 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36073">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36073"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\184 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36050">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36050"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
185 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin185 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
186 #186 #
187 #·Disable·rlogin.socket·for·all·systemd·targets187 #·Disable·rlogin.socket·for·all·systemd·targets
188 #188 #
189 systemctl·disable·rlogin.socket189 systemctl·disable·rlogin.socket
  
190 #190 #
191 #·Stop·rlogin.socket·if·currently·running191 #·Stop·rlogin.socket·if·currently·running
192 #192 #
193 systemctl·stop·rlogin.socket193 systemctl·stop·rlogin.socket
194 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36074">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36074"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin194 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36051">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36051"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
195 ··service:195 ··service:
196 ····name="{{item}}"196 ····name="{{item}}"
197 ····enabled="no"197 ····enabled="no"
198 ····state="stopped"198 ····state="stopped"
199 ··register:·service_result199 ··register:·service_result
200 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"200 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
201 ··with_items:201 ··with_items:
Offset 213, 39 lines modifiedOffset 213, 39 lines modified
213 ····-·low_disruption213 ····-·low_disruption
214 ····-·CCE-27336-7214 ····-·CCE-27336-7
215 ····-·NIST-800-53-AC-17(8)215 ····-·NIST-800-53-AC-17(8)
216 ····-·NIST-800-53-CM-7216 ····-·NIST-800-53-CM-7
217 ····-·NIST-800-53-IA-5(1)(c)217 ····-·NIST-800-53-IA-5(1)(c)
218 ····-·NIST-800-171-3.1.13218 ····-·NIST-800-171-3.1.13
219 ····-·NIST-800-171-3.4.7219 ····-·NIST-800-171-3.4.7
220 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service220 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
221 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with221 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
222 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately222 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
223 as·a·systemd·socket,·should·be·disabled.223 as·a·systemd·socket,·should·be·disabled.
224 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·224 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
225 If·using·systemd,·225 If·using·systemd,·
226 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:226 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
227 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which227 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
228 means·that·data·from·the·login·session,·including·passwords·and228 means·that·data·from·the·login·session,·including·passwords·and
229 all·other·information·transmitted·during·the·session,·can·be229 all·other·information·transmitted·during·the·session,·can·be
230 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 230 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
231 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 231 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
232 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36103">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36103"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\232 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36080">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36080"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
233 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec233 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
234 #234 #
235 #·Disable·rexec.socket·for·all·systemd·targets235 #·Disable·rexec.socket·for·all·systemd·targets
236 #236 #
237 systemctl·disable·rexec.socket237 systemctl·disable·rexec.socket
  
238 #238 #
239 #·Stop·rexec.socket·if·currently·running239 #·Stop·rexec.socket·if·currently·running
240 #240 #
241 systemctl·stop·rexec.socket241 systemctl·stop·rexec.socket
242 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec242 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36081">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36081"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec
243 ··service:243 ··service:
244 ····name="{{item}}"244 ····name="{{item}}"
245 ····enabled="no"245 ····enabled="no"
246 ····state="stopped"246 ····state="stopped"
247 ··register:·service_result247 ··register:·service_result
248 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"248 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
249 ··with_items:249 ··with_items:
Max diff block lines reached; 1663737/1688866 bytes (98.51%) of diff not shown.
1.61 MB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-ospp.html
    
Offset 109, 24 lines modifiedOffset 109, 24 lines modified
109 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict109 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
110 the·service·as·much·as·possible,·for·instance·by·configuring·host110 the·service·as·much·as·possible,·for·instance·by·configuring·host
111 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the111 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
112 vulnerable·service·to·only·those·remote·hosts·which·have·a·known112 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
113 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec113 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
114 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which114 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
115 allow·cleartext·remote·access·and·have·an·insecure·trust115 allow·cleartext·remote·access·and·have·an·insecure·trust
116 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm36017"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package116 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
117 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands117 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
118 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have118 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
119 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,119 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
120 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from120 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
121 inadvertently·attempting·to·use·these·commands·and·therefore·exposing121 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
122 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes122 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
123 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 123 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
124 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 124 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
125 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36040"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.125 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36017"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
126 #126 #
127 #·Example·Call(s):127 #·Example·Call(s):
128 #128 #
129 #·····package_remove·telnet-server129 #·····package_remove·telnet-server
130 #130 #
131 function·package_remove·{131 function·package_remove·{
  
Offset 156, 62 lines modifiedOffset 156, 62 lines modified
156 ··echo·"Aborting."156 ··echo·"Aborting."
157 ··exit·1157 ··exit·1
158 fi158 fi
  
159 }159 }
  
160 package_remove·rsh160 package_remove·rsh
161 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36042">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36042"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed161 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36019">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36019"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
162 ··package:162 ··package:
163 ····name="{{item}}"163 ····name="{{item}}"
164 ····state=absent164 ····state=absent
165 ··with_items:165 ··with_items:
166 ····-·rsh166 ····-·rsh
167 ··tags:167 ··tags:
168 ····-·package_rsh_removed168 ····-·package_rsh_removed
169 ····-·unknown_severity169 ····-·unknown_severity
170 ····-·disable_strategy170 ····-·disable_strategy
171 ····-·low_complexity171 ····-·low_complexity
172 ····-·low_disruption172 ····-·low_disruption
173 ····-·CCE-27274-0173 ····-·CCE-27274-0
174 ····-·NIST-800-171-3.1.13174 ····-·NIST-800-171-3.1.13
175 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36043">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36043"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh175 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
176 class·remove_rsh·{176 class·remove_rsh·{
177 ··package·{·'rsh':177 ··package·{·'rsh':
178 ····ensure·=&gt;·'purged',178 ····ensure·=&gt;·'purged',
179 ··}179 ··}
180 }180 }
181 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36044">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36044"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>181 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
182 package·--remove=rsh182 package·--remove=rsh
183 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36049"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service183 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36026"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
184 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with184 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
185 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately185 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
186 as·a·systemd·socket,·should·be·disabled.186 as·a·systemd·socket,·should·be·disabled.
187 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.187 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
188 If·using·systemd,·188 If·using·systemd,·
189 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:189 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
190 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which190 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
191 means·that·data·from·the·login·session,·including·passwords·and191 means·that·data·from·the·login·session,·including·passwords·and
192 all·other·information·transmitted·during·the·session,·can·be192 all·other·information·transmitted·during·the·session,·can·be
193 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 193 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
194 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36073">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36073"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\195 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36050">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36050"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
196 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin196 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
197 #197 #
198 #·Disable·rlogin.socket·for·all·systemd·targets198 #·Disable·rlogin.socket·for·all·systemd·targets
199 #199 #
200 systemctl·disable·rlogin.socket200 systemctl·disable·rlogin.socket
  
201 #201 #
202 #·Stop·rlogin.socket·if·currently·running202 #·Stop·rlogin.socket·if·currently·running
203 #203 #
204 systemctl·stop·rlogin.socket204 systemctl·stop·rlogin.socket
205 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36074">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36074"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin205 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36051">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36051"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
206 ··service:206 ··service:
207 ····name="{{item}}"207 ····name="{{item}}"
208 ····enabled="no"208 ····enabled="no"
209 ····state="stopped"209 ····state="stopped"
210 ··register:·service_result210 ··register:·service_result
211 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"211 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
212 ··with_items:212 ··with_items:
Offset 224, 39 lines modifiedOffset 224, 39 lines modified
224 ····-·low_disruption224 ····-·low_disruption
225 ····-·CCE-27336-7225 ····-·CCE-27336-7
226 ····-·NIST-800-53-AC-17(8)226 ····-·NIST-800-53-AC-17(8)
227 ····-·NIST-800-53-CM-7227 ····-·NIST-800-53-CM-7
228 ····-·NIST-800-53-IA-5(1)(c)228 ····-·NIST-800-53-IA-5(1)(c)
229 ····-·NIST-800-171-3.1.13229 ····-·NIST-800-171-3.1.13
230 ····-·NIST-800-171-3.4.7230 ····-·NIST-800-171-3.4.7
231 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service231 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36056"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
232 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with232 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
233 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately233 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
234 as·a·systemd·socket,·should·be·disabled.234 as·a·systemd·socket,·should·be·disabled.
235 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·235 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
236 If·using·systemd,·236 If·using·systemd,·
237 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:237 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
238 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which238 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
239 means·that·data·from·the·login·session,·including·passwords·and239 means·that·data·from·the·login·session,·including·passwords·and
240 all·other·information·transmitted·during·the·session,·can·be240 all·other·information·transmitted·during·the·session,·can·be
241 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 241 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
242 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 242 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
243 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36103">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36103"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\243 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36080">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36080"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
244 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec244 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
245 #245 #
246 #·Disable·rexec.socket·for·all·systemd·targets246 #·Disable·rexec.socket·for·all·systemd·targets
247 #247 #
248 systemctl·disable·rexec.socket248 systemctl·disable·rexec.socket
  
249 #249 #
250 #·Stop·rexec.socket·if·currently·running250 #·Stop·rexec.socket·if·currently·running
251 #251 #
252 systemctl·stop·rexec.socket252 systemctl·stop·rexec.socket
253 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec253 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36081">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36081"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec
254 ··service:254 ··service:
255 ····name="{{item}}"255 ····name="{{item}}"
256 ····enabled="no"256 ····enabled="no"
257 ····state="stopped"257 ····state="stopped"
258 ··register:·service_result258 ··register:·service_result
259 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"259 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
260 ··with_items:260 ··with_items:
Max diff block lines reached; 1663739/1688870 bytes (98.51%) of diff not shown.
371 KB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-pci-dss.html
    
Offset 116, 15 lines modifiedOffset 116, 15 lines modified
116 <br><br>116 <br><br>
117 Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code>117 Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code>
118 and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to118 and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to
119 choose·between·the·two·NTP·daemons.119 choose·between·the·two·NTP·daemons.
120 <br><br>120 <br><br>
121 The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for121 The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for
122 <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional122 <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional
123 information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38412"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers123 information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38485"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers
124 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete124 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete
125 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be125 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be
126 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the126 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the
127 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to127 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to
128 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>128 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>
129 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for129 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for
130 further·guidance·how·to·choose·between·the·two·NTP·daemons.130 further·guidance·how·to·choose·between·the·two·NTP·daemons.
Offset 137, 15 lines modifiedOffset 137, 15 lines modified
137 Add·additional·lines·of·the·following·form,·substituting·the·IP·address·or137 Add·additional·lines·of·the·following·form,·substituting·the·IP·address·or
138 hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:138 hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:
139 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of139 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of
140 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes140 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes
141 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for141 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for
142 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 142 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
143 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 143 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
144 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38432">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38432"><pre><code>144 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38505">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38505"><pre><code>
145 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"145 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"
  
146 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.146 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.
147 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries147 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries
148 #·$1:·Path·to·the·config·file148 #·$1:·Path·to·the·config·file
149 #·$2:·Comma-separated·list·of·servers149 #·$2:·Comma-separated·list·of·servers
150 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{150 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{
Offset 164, 15 lines modifiedOffset 164, 15 lines modified
  
164 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file164 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file
  
165 config_file="/etc/ntp.conf"165 config_file="/etc/ntp.conf"
166 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"166 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"
  
167 [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"167 [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"
168 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38437"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server168 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38510"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server
169 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete169 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete
170 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be170 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be
171 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the171 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the
172 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to172 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to
173 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>173 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>
174 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for174 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for
175 further·guidance·how·to·choose·between·the·two·NTP·daemons.175 further·guidance·how·to·choose·between·the·two·NTP·daemons.
Offset 184, 15 lines modifiedOffset 184, 15 lines modified
184 Add·or·correct·the·following·lines,·substituting·the·IP·or·hostname·of·a·remote184 Add·or·correct·the·following·lines,·substituting·the·IP·or·hostname·of·a·remote
185 NTP·server·for·<em>ntpserver</em>:185 NTP·server·for·<em>ntpserver</em>:
186 <pre>server·<i>ntpserver</i></pre>186 <pre>server·<i>ntpserver</i></pre>
187 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time187 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time
188 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system188 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system
189 logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 189 logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
190 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 190 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
191 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38461">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38461"><pre><code>191 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38534">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38534"><pre><code>
192 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"192 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"
  
193 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.193 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.
194 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries194 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries
195 #·$1:·Path·to·the·config·file195 #·$1:·Path·to·the·config·file
196 #·$2:·Comma-separated·list·of·servers196 #·$2:·Comma-separated·list·of·servers
197 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{197 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{
Offset 211, 15 lines modifiedOffset 211, 15 lines modified
  
211 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file211 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file
  
212 config_file="/etc/ntp.conf"212 config_file="/etc/ntp.conf"
213 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"213 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"
  
214 grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"214 grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"
215 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38468"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">Enable·the·NTP·Daemon215 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38541"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">Enable·the·NTP·Daemon
216 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>216 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
217 ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command:217 ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command:
218 ········<pre>$·sudo·systemctl·enable·chronyd.service</pre>218 ········<pre>$·sudo·systemctl·enable·chronyd.service</pre>
219 Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default.219 Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default.
220 <br><br>220 <br><br>
  
221 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:221 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
Offset 237, 15 lines modifiedOffset 237, 15 lines modified
237 maintaining·accurate·logs·and·auditing·possible·security·breaches.237 maintaining·accurate·logs·and·auditing·possible·security·breaches.
238 <br><br>238 <br><br>
239 The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the239 The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the
240 functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional240 functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional
241 information·on·this·is·available·at241 information·on·this·is·available·at
242 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 242 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
243 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 243 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
244 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38496">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38496"><pre><code>244 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38569">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38569"><pre><code>
  
245 if·!·`rpm·-q·--quiet·chrony`·&amp;&amp;·!·`rpm·-q·--quiet·ntp-`;·then245 if·!·`rpm·-q·--quiet·chrony`·&amp;&amp;·!·`rpm·-q·--quiet·ntp-`;·then
246 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.246 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
247 #247 #
248 #·Example·Call(s):248 #·Example·Call(s):
249 #249 #
250 #·····package_install·aide250 #·····package_install·aide
Offset 450, 15 lines modifiedOffset 450, 15 lines modified
450 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·450 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·
451 is·called·<code>sshd</code>·and·provided·by·the·RPM·package451 is·called·<code>sshd</code>·and·provided·by·the·RPM·package
452 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary452 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary
453 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then453 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
454 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration454 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
455 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be455 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
456 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more456 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
457 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39988"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval457 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39768"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
458 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout458 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout
459 interval.459 interval.
460 After·this·interval·has·passed,·the·idle·user·will·be460 After·this·interval·has·passed,·the·idle·user·will·be
461 automatically·logged·out.461 automatically·logged·out.
462 <br><br>462 <br><br>
463 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as463 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
464 follows:464 follows:
Offset 468, 15 lines modifiedOffset 468, 15 lines modified
468 <br><br>468 <br><br>
469 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·469 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·
470 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH470 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
471 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of471 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of
472 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session472 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session
473 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 473 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
474 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 474 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
475 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm40013">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40013"><pre><code>475 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39793">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39793"><pre><code>
476 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"476 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"
477 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if477 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
478 #·it·does·not·exist.478 #·it·does·not·exist.
479 #479 #
480 #·Expects·arguments:480 #·Expects·arguments:
481 #481 #
482 #·config_file:»  »  Configuration·file·that·will·be·modified482 #·config_file:»  »  Configuration·file·that·will·be·modified
Max diff block lines reached; 358165/379597 bytes (94.35%) of diff not shown.
154 KB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-rht-ccp.html
    
Offset 83, 23 lines modifiedOffset 83, 23 lines modified
83 the·service·as·much·as·possible,·for·instance·by·configuring·host83 the·service·as·much·as·possible,·for·instance·by·configuring·host
84 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the84 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
85 vulnerable·service·to·only·those·remote·hosts·which·have·a·known85 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
86 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet86 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity
88 for·information·transmitted·on·the·network.·This·includes·authentication88 for·information·transmitted·on·the·network.·This·includes·authentication
89 information·such·as·passwords.·Organizations·which·use·telnet·should·be89 information·such·as·passwords.·Organizations·which·use·telnet·should·be
90 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36229"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet_removed">Remove·telnet·Clients90 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36206"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet_removed">Remove·telnet·Clients
91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other·91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other·
92 systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use92 systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use
93 of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user93 of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user
94 to·steal·credentials.·The·<code>ssh</code>·package·provides·an94 to·steal·credentials.·The·<code>ssh</code>·package·provides·an
95 encrypted·session·and·stronger·security·and·is·included·in·Red·Hat95 encrypted·session·and·stronger·security·and·is·included·in·Red·Hat
96 Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························low</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 97 ························low</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
98 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36249">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36249"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.98 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36226">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36226"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
99 #99 #
100 #·Example·Call(s):100 #·Example·Call(s):
101 #101 #
102 #·····package_remove·telnet-server102 #·····package_remove·telnet-server
103 #103 #
104 function·package_remove·{104 function·package_remove·{
  
Offset 129, 38 lines modifiedOffset 129, 38 lines modified
129 ··echo·"Aborting."129 ··echo·"Aborting."
130 ··exit·1130 ··exit·1
131 fi131 fi
  
132 }132 }
  
133 package_remove·telnet133 package_remove·telnet
134 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36251">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36251"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnet·is·removed134 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36228">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36228"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnet·is·removed
135 ··package:135 ··package:
136 ····name="{{item}}"136 ····name="{{item}}"
137 ····state=absent137 ····state=absent
138 ··with_items:138 ··with_items:
139 ····-·telnet139 ····-·telnet
140 ··tags:140 ··tags:
141 ····-·package_telnet_removed141 ····-·package_telnet_removed
142 ····-·low_severity142 ····-·low_severity
143 ····-·disable_strategy143 ····-·disable_strategy
144 ····-·low_complexity144 ····-·low_complexity
145 ····-·low_disruption145 ····-·low_disruption
146 ····-·CCE-27305-2146 ····-·CCE-27305-2
147 ····-·NIST-800-171-3.1.13147 ····-·NIST-800-171-3.1.13
148 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36252">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36252"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnet148 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36229">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36229"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnet
  
149 class·remove_telnet·{149 class·remove_telnet·{
150 ··package·{·'telnet':150 ··package·{·'telnet':
151 ····ensure·=&gt;·'purged',151 ····ensure·=&gt;·'purged',
152 ··}152 ··}
153 }153 }
154 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36253">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36253"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>154 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36230">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36230"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
155 package·--remove=telnet155 package·--remove=telnet
156 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm36258"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_telnet_disabled">Disable·telnet·Service156 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm36235"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_telnet_disabled">Disable·telnet·Service
157 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code>157 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code>
158 is·not·created·automatically.·If·it·was·created·manually,·check·the158 is·not·created·automatically.·If·it·was·created·manually,·check·the
159 <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code>159 <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code>
160 is·changed·to·read·<code>disable·=·yes</code>·as·follows·below:160 is·changed·to·read·<code>disable·=·yes</code>·as·follows·below:
161 <pre>161 <pre>
162 #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\162 #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\
163 #·······unencrypted·username/password·pairs·for·authentication.163 #·······unencrypted·username/password·pairs·for·authentication.
Offset 183, 27 lines modifiedOffset 183, 27 lines modified
183 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:183 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
184 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which184 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which
185 means·that·data·from·the·login·session,·including·passwords·and185 means·that·data·from·the·login·session,·including·passwords·and
186 all·other·information·transmitted·during·the·session,·can·be186 all·other·information·transmitted·during·the·session,·can·be
187 stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also187 stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also
188 subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 188 subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
189 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 189 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
190 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36284">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36284"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/telnet·&amp;&amp;·\190 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36261">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36261"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/telnet·&amp;&amp;·\
191 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet191 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet
  
192 #192 #
193 #·Disable·telnet.socket·for·all·systemd·targets193 #·Disable·telnet.socket·for·all·systemd·targets
194 #194 #
195 systemctl·disable·telnet.socket195 systemctl·disable·telnet.socket
  
196 #196 #
197 #·Stop·telnet.socket·if·currently·running197 #·Stop·telnet.socket·if·currently·running
198 #198 #
199 systemctl·stop·telnet.socket199 systemctl·stop·telnet.socket
200 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36285">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36285"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·telnet200 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36262">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36262"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·telnet
201 ··service:201 ··service:
202 ····name="{{item}}"202 ····name="{{item}}"
203 ····enabled="no"203 ····enabled="no"
204 ····state="stopped"204 ····state="stopped"
205 ··register:·service_result205 ··register:·service_result
206 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"206 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
207 ··with_items:207 ··with_items:
Offset 216, 29 lines modifiedOffset 216, 29 lines modified
216 ····-·low_disruption216 ····-·low_disruption
217 ····-·CCE-27401-9217 ····-·CCE-27401-9
218 ····-·NIST-800-53-AC-17(8)218 ····-·NIST-800-53-AC-17(8)
219 ····-·NIST-800-53-CM-7219 ····-·NIST-800-53-CM-7
220 ····-·NIST-800-53-IA-5(1)(c)220 ····-·NIST-800-53-IA-5(1)(c)
221 ····-·NIST-800-171-3.1.13221 ····-·NIST-800-171-3.1.13
222 ····-·NIST-800-171-3.4.7222 ····-·NIST-800-171-3.4.7
223 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36290"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package223 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36267"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package
224 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with224 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with
225 the·following·command:225 the·following·command:
226 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding226 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding
227 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore227 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore
228 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.228 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.
229 <br>229 <br>
230 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·230 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·
231 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were231 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were
232 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.232 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.
233 <br>233 <br>
234 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·234 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·
235 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 235 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
236 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 236 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
237 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36317">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36317"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.237 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36294">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36294"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
238 #238 #
239 #·Example·Call(s):239 #·Example·Call(s):
240 #240 #
241 #·····package_remove·telnet-server241 #·····package_remove·telnet-server
242 #242 #
243 function·package_remove·{243 function·package_remove·{
  
Offset 268, 15 lines modifiedOffset 268, 15 lines modified
268 ··echo·"Aborting."268 ··echo·"Aborting."
269 ··exit·1269 ··exit·1
270 fi270 fi
  
271 }271 }
  
Max diff block lines reached; 132658/157561 bytes (84.19%) of diff not shown.
327 KB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-standard.html
    
Offset 71, 28 lines modifiedOffset 71, 28 lines modified
71 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional71 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
72 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up72 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
73 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons73 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons
74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to
75 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost75 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost
76 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or76 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or
77 may·not·be·required·on·a·given·system.·Both·daemons·should·be77 may·not·be·required·on·a·given·system.·Both·daemons·should·be
78 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm36916"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd)78 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm36989"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd)
79 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to79 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to
80 schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed80 schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed
81 execution·in·a·manner·similar·to·cron,·except·that·it·is·not81 execution·in·a·manner·similar·to·cron,·except·that·it·is·not
82 recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via82 recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via
83 <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time.83 <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time.
  
84 ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command:84 ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command:
85 ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry85 ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry
86 out·activities·outside·of·a·normal·login·session,·which·could·complicate86 out·activities·outside·of·a·normal·login·session,·which·could·complicate
87 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or87 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or
88 <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 88 <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
89 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 89 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
90 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36932">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36932"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.90 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm37005">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37005"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
91 #91 #
92 #·Example·Call(s):92 #·Example·Call(s):
93 #93 #
94 #·····service_command·enable·bluetooth94 #·····service_command·enable·bluetooth
95 #·····service_command·disable·bluetooth.service95 #·····service_command·disable·bluetooth.service
96 #96 #
97 #·····Using·xinetd:97 #·····Using·xinetd:
Offset 160, 15 lines modifiedOffset 160, 15 lines modified
160 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd160 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
161 ··fi161 ··fi
162 fi162 fi
  
163 }163 }
  
164 service_command·disable·atd164 service_command·disable·atd
165 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36934">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36934"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd165 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm37007">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37007"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd
166 ··service:166 ··service:
167 ····name="{{item}}"167 ····name="{{item}}"
168 ····enabled="no"168 ····enabled="no"
169 ····state="stopped"169 ····state="stopped"
170 ··register:·service_result170 ··register:·service_result
171 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"171 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
172 ··with_items:172 ··with_items:
Offset 183, 27 lines modifiedOffset 183, 27 lines modified
183 ····-·NIST-800-53-CM-7183 ····-·NIST-800-53-CM-7
184 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services184 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services
185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a
186 Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other186 Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other
187 sections.·Some·of·these·services·listen·on·the·network·and187 sections.·Some·of·these·services·listen·on·the·network·and
188 should·be·treated·with·particular·discretion.·Other·services·are·local188 should·be·treated·with·particular·discretion.·Other·services·are·local
189 system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services189 system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services
190 should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38578"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled">Disable·Network·Router·Discovery·Daemon·(rdisc)190 should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38651"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled">Disable·Network·Router·Discovery·Daemon·(rdisc)
191 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP191 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP
192 Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on192 Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on
193 the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is193 the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is
194 updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled.194 updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled.
  
195 ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command:195 ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command:
196 ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing196 ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing
197 information·configured·statically·by·a·system·administrator.·Workstations·or197 information·configured·statically·by·a·system·administrator.·Workstations·or
198 some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve198 some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve
199 dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 199 dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
200 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 200 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
201 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38589">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38589"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.201 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38662">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38662"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
202 #202 #
203 #·Example·Call(s):203 #·Example·Call(s):
204 #204 #
205 #·····service_command·enable·bluetooth205 #·····service_command·enable·bluetooth
206 #·····service_command·disable·bluetooth.service206 #·····service_command·disable·bluetooth.service
207 #207 #
208 #·····Using·xinetd:208 #·····Using·xinetd:
Offset 271, 15 lines modifiedOffset 271, 15 lines modified
271 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd271 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
272 ··fi272 ··fi
273 fi273 fi
  
274 }274 }
  
275 service_command·disable·rdisc275 service_command·disable·rdisc
276 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38591">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38591"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rdisc276 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38664">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38664"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rdisc
277 ··service:277 ··service:
278 ····name="{{item}}"278 ····name="{{item}}"
279 ····enabled="no"279 ····enabled="no"
280 ····state="stopped"280 ····state="stopped"
281 ··register:·service_result281 ··register:·service_result
282 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"282 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
283 ··with_items:283 ··with_items:
Offset 290, 27 lines modifiedOffset 290, 27 lines modified
290 ····-·disable_strategy290 ····-·disable_strategy
291 ····-·low_complexity291 ····-·low_complexity
292 ····-·low_disruption292 ····-·low_disruption
293 ····-·CCE-80268-6293 ····-·CCE-80268-6
294 ····-·NIST-800-53-AC-17(8)294 ····-·NIST-800-53-AC-17(8)
295 ····-·NIST-800-53-AC-4295 ····-·NIST-800-53-AC-4
296 ····-·NIST-800-53-CM-7296 ····-·NIST-800-53-CM-7
297 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38711"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">Disable·Odd·Job·Daemon·(oddjobd)297 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38784"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">Disable·Odd·Job·Daemon·(oddjobd)
298 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and298 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and
299 access·control·mechanism·through·which299 access·control·mechanism·through·which
300 specified·privileged·tasks·can·run·tasks·for·unprivileged·client300 specified·privileged·tasks·can·run·tasks·for·unprivileged·client
301 applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus.301 applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus.
  
302 ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command:302 ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command:
303 ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in303 ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in
304 some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of304 some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of
305 tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally305 tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally
306 been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 306 been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
307 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 307 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
308 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38722">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38722"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.308 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38795">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38795"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
309 #309 #
310 #·Example·Call(s):310 #·Example·Call(s):
311 #311 #
312 #·····service_command·enable·bluetooth312 #·····service_command·enable·bluetooth
313 #·····service_command·disable·bluetooth.service313 #·····service_command·disable·bluetooth.service
314 #314 #
315 #·····Using·xinetd:315 #·····Using·xinetd:
Offset 378, 15 lines modifiedOffset 378, 15 lines modified
378 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd378 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
379 ··fi379 ··fi
380 fi380 fi
  
381 }381 }
  
382 service_command·disable·oddjobd382 service_command·disable·oddjobd
383 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38724">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38724"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·oddjobd383 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38797">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38797"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·oddjobd
384 ··service:384 ··service:
385 ····name="{{item}}"385 ····name="{{item}}"
Max diff block lines reached; 316204/334498 bytes (94.53%) of diff not shown.
932 KB
./usr/share/doc/ssg-nondebian/ssg-centos7-guide-stig-rhel7-disa.html
    
Offset 92, 65 lines modifiedOffset 92, 65 lines modified
92 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict92 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
93 the·service·as·much·as·possible,·for·instance·by·configuring·host93 the·service·as·much·as·possible,·for·instance·by·configuring·host
94 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the94 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
95 vulnerable·service·to·only·those·remote·hosts·which·have·a·known95 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
96 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec96 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
97 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which97 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
98 allow·cleartext·remote·access·and·have·an·insecure·trust98 allow·cleartext·remote·access·and·have·an·insecure·trust
99 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36109"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files99 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36086"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files
100 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts100 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts
101 and·users·that·are·trusted·by·the·local·system.101 and·users·that·are·trusted·by·the·local·system.
102 To·remove·these·files,·run·the·following·command·to·delete·them·from·any102 To·remove·these·files,·run·the·following·command·to·delete·them·from·any
103 location:103 location:
104 <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the104 <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the
105 system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing105 system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing
106 unauthorized·access·to·the·system,·as·it·does·not·require·interactive106 unauthorized·access·to·the·system,·as·it·does·not·require·interactive
107 identification·and·authentication·of·a·connection·request,·or·for·the·use·of107 identification·and·authentication·of·a·connection·request,·or·for·the·use·of
108 two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 108 two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
109 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 109 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
110 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36118">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36118"><pre><code>110 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36095">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36095"><pre><code>
111 #·Identify·local·mounts111 #·Identify·local·mounts
112 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·112 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·
  
113 #·Find·file·on·each·listed·mount·point113 #·Find·file·on·each·listed·mount·point
114 for·cur_mount·in·${MOUNT_LIST}114 for·cur_mount·in·${MOUNT_LIST}
115 do115 do
116 »       find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\;116 »       find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\;
117 done117 done
118 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36154"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files118 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36131"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files
119 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files119 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files
120 list·remote·hosts·and·users·that·are·trusted·by·the120 list·remote·hosts·and·users·that·are·trusted·by·the
121 local·system.·To·remove·these·files,·run·the·following·command121 local·system.·To·remove·these·files,·run·the·following·command
122 to·delete·them·from·any·location:122 to·delete·them·from·any·location:
123 <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for123 <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for
124 individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not124 individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not
125 sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not125 sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not
126 require·interactive·identification·and·authentication·of·a·connection·request,126 require·interactive·identification·and·authentication·of·a·connection·request,
127 or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
129 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36163">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36163"><pre><code>129 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36140">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36140"><pre><code>
130 #·Identify·local·mounts130 #·Identify·local·mounts
131 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·131 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·
  
132 #·Find·file·on·each·listed·mount·point132 #·Find·file·on·each·listed·mount·point
133 for·cur_mount·in·${MOUNT_LIST}133 for·cur_mount·in·${MOUNT_LIST}
134 do134 do
135 »       find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\;135 »       find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\;
136 done136 done
137 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36168"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package137 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36145"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package
138 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with138 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with
139 the·following·command:139 the·following·command:
140 <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not140 <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not
141 provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak141 provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak
142 authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password142 authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password
143 could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure143 could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure
144 network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional)144 network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional)
145 activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 145 activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
146 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 146 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
147 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36193">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36193"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.147 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36170">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36170"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
148 #148 #
149 #·Example·Call(s):149 #·Example·Call(s):
150 #150 #
151 #·····package_remove·telnet-server151 #·····package_remove·telnet-server
152 #152 #
153 function·package_remove·{153 function·package_remove·{
  
Offset 180, 15 lines modifiedOffset 180, 15 lines modified
180 ··echo·"Aborting."180 ··echo·"Aborting."
181 ··exit·1181 ··exit·1
182 fi182 fi
  
183 }183 }
  
184 package_remove·rsh-server184 package_remove·rsh-server
185 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36195">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36195"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh-server·is·removed185 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36172">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36172"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh-server·is·removed
186 ··package:186 ··package:
187 ····name="{{item}}"187 ····name="{{item}}"
188 ····state=absent188 ····state=absent
189 ··with_items:189 ··with_items:
190 ····-·rsh-server190 ····-·rsh-server
191 ··tags:191 ··tags:
192 ····-·package_rsh-server_removed192 ····-·package_rsh-server_removed
Offset 196, 42 lines modifiedOffset 196, 42 lines modified
196 ····-·disable_strategy196 ····-·disable_strategy
197 ····-·low_complexity197 ····-·low_complexity
198 ····-·low_disruption198 ····-·low_disruption
199 ····-·CCE-27342-5199 ····-·CCE-27342-5
200 ····-·NIST-800-53-AC-17(8)200 ····-·NIST-800-53-AC-17(8)
201 ····-·NIST-800-53-CM-7(a)201 ····-·NIST-800-53-CM-7(a)
202 ····-·DISA-STIG-RHEL-07-020000202 ····-·DISA-STIG-RHEL-07-020000
203 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36196">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36196"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh-server203 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36173">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36173"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh-server
  
204 class·remove_rsh-server·{204 class·remove_rsh-server·{
205 ··package·{·'rsh-server':205 ··package·{·'rsh-server':
206 ····ensure·=&gt;·'purged',206 ····ensure·=&gt;·'purged',
207 ··}207 ··}
208 }208 }
209 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36197">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36197"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>209 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36174">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36174"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
210 package·--remove=rsh-server210 package·--remove=rsh-server
211 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet211 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet
212 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity212 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity
213 for·information·transmitted·on·the·network.·This·includes·authentication213 for·information·transmitted·on·the·network.·This·includes·authentication
214 information·such·as·passwords.·Organizations·which·use·telnet·should·be214 information·such·as·passwords.·Organizations·which·use·telnet·should·be
215 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36290"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package215 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36267"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package
216 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with216 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with
217 the·following·command:217 the·following·command:
218 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding218 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding
219 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore219 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore
220 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.220 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.
221 <br>221 <br>
222 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·222 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·
223 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were223 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were
224 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.224 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.
225 <br>225 <br>
226 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·226 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·
227 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 227 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
228 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 228 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
229 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36317">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36317"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.229 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36294">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36294"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
230 #230 #
231 #·Example·Call(s):231 #·Example·Call(s):
232 #232 #
233 #·····package_remove·telnet-server233 #·····package_remove·telnet-server
234 #234 #
235 function·package_remove·{235 function·package_remove·{
  
Offset 261, 15 lines modifiedOffset 261, 15 lines modified
261 ··echo·"Aborting."261 ··echo·"Aborting."
262 ··exit·1262 ··exit·1
Max diff block lines reached; 928191/953987 bytes (97.30%) of diff not shown.
119 KB
./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-default.html
    
Offset 48, 27 lines modifiedOffset 48, 24 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_docker">Docker·Service</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·950,·SHA:·d40cfc87a422dd1ca7ea2c671f42f83a22053278f024506a707b11abc8b6b896·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·950,·SHA:·a7c844d718d4a2cf68abe69bc182d0b9229d73dc5dbe42fbcbb39f6b8f5fcc63·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
58 the·software·which·Red·Hat·OpenStack·Platform·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It58 the·software·which·Red·Hat·OpenStack·Platform·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It
59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which
60 ones·can·be·safely·disabled.60 ones·can·be·safely·disabled.
61 <br><br>61 <br><br>
62 Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional62 Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
63 system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up63 system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are 
66 ··self-sufficient·and·self-contained·applications·using·the·resource 
67 ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services 
68 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible
69 services·which·have·historically·caused·problems·for·system66 services·which·have·historically·caused·problems·for·system
70 security,·and·for·which·disabling·or·severely·limiting·the·service67 security,·and·for·which·disabling·or·severely·limiting·the·service
71 has·been·the·best·available·guidance·for·some·time.·As·a·result·of68 has·been·the·best·available·guidance·for·some·time.·As·a·result·of
72 this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·769 this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7
73 by·default.70 by·default.
74 <br><br>71 <br><br>
Offset 102, 15 lines modifiedOffset 99, 51 lines modified
102 found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd99 found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd
103 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some100 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some
104 network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access101 network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access
105 controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other102 controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other
106 features,·and·it·is·not·installed·by·default.·The·older·Inetd·service103 features,·and·it·is·not·installed·by·default.·The·older·Inetd·service
107 is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services104 is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services
108 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages105 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages
109 across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack106 across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server
 107 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not
 108 installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a>
 109 contains·more·detailed·information·about·Dovecot
 110 configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary
 111 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or
 112 POP3·server,·the·dovecot·software·should·be·configured·securely·by·following
 113 the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support
 114 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the·
 115 Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot·
 116 server·in·order·to·read·their·mail,·and·passwords·should·never·be·
 117 transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is·
 118 downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates·
 119 to·authenticate·the·server,·preventing·another·system·from·impersonating·
 120 the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server
 121 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound
 122 access·to·any·services.·This·modification·will·allow·remote·hosts·to
 123 initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports
 124 on·the·server·in·their·default·protected·state.
  
 125 ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s):
 126 ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and
 127 ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols
 128 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as·
 129 SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server·
 130 to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.·
 131 Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with·
 132 only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,·
 133 <code>pop3</code>,·<code>pop3s</code>)·required:
 134 <pre>protocols·=·PROTOCOL</pre>
 135 If·possible,·require·SSL·protection·for·all·transactions.·The·SSL·
 136 protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for·
 137 pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.·
 138 An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the·
 139 client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot
 140 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or
 141 POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack
110 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist142 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist
111 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_keystone"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_keystone">Keystone·STIG·Checklist143 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_keystone"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_keystone">Keystone·STIG·Checklist
112 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_keystone">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Keystone·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nova"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_nova">Nova·STIG·Checklist144 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_keystone">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Keystone·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_keystone"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nova"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_nova">Nova·STIG·Checklist
113 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nova">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Nova·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_horizon"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_horizon">Horizon·STIG·Checklist145 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nova">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Nova·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_nova"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_horizon"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_horizon">Horizon·STIG·Checklist
114 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_horizon">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Horizon·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_neutron"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_neutron">Neutron·STIG·Checklist146 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_horizon">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Horizon·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_horizon"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_neutron"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_neutron">Neutron·STIG·Checklist
115 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_neutron">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Neutron·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server147 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_neutron">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Neutron·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_neutron"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
116 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to148 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
Offset 854, 51 lines modifiedOffset 887, 18 lines modified
854 supersede·domain-name-servers·192.168.1.2;887 supersede·domain-name-servers·192.168.1.2;
855 supersede·nis-domain·"";888 supersede·nis-domain·"";
856 supersede·nis-servers·"";889 supersede·nis-servers·"";
857 supersede·ntp-servers·"ntp.example.com·";890 supersede·ntp-servers·"ntp.example.com·";
858 supersede·routers·192.168.1.1;891 supersede·routers·192.168.1.1;
859 supersede·time-offset·-18000;892 supersede·time-offset·-18000;
860 request·subnet-mask;893 request·subnet-mask;
861 require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server894 require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service
862 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not895 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are
863 installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a>896 ··self-sufficient·and·self-contained·applications·using·the·resource
864 contains·more·detailed·information·about·Dovecot897 ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC
865 configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary 
866 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or 
867 POP3·server,·the·dovecot·software·should·be·configured·securely·by·following 
868 the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support 
869 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· 
870 Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· 
871 server·in·order·to·read·their·mail,·and·passwords·should·never·be· 
872 transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· 
873 downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· 
874 to·authenticate·the·server,·preventing·another·system·from·impersonating· 
875 the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server 
876 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound 
877 access·to·any·services.·This·modification·will·allow·remote·hosts·to 
878 initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports 
879 on·the·server·in·their·default·protected·state. 
  
880 ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): 
881 ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and 
882 ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols 
883 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· 
884 SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· 
885 to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· 
886 Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· 
887 only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· 
888 <code>pop3</code>,·<code>pop3s</code>)·required: 
889 <pre>protocols·=·PROTOCOL</pre> 
890 If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· 
891 protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· 
892 pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· 
893 An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· 
894 client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot 
895 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or 
896 POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC 
897 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for898 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for
898 the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the899 the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the
899 circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies,900 circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies,
Max diff block lines reached; 84051/121344 bytes (69.27%) of diff not shown.
96.3 KB
./usr/share/doc/ssg-nondebian/ssg-rhel-osp7-guide-stig-openstack.html
    
Offset 58, 70 lines modifiedOffset 58, 83 lines modified
58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·OpenStack·Platform·7·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Red·Hat·OpenStack·Platform·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Red·Hat·OpenStack·Platform·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
63 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack63 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7-OSP"><td·style="padding-left:·19px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·32·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cinder"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_cinder">Cinder·STIG·Checklist
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><small>contains·8·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_glance_tls"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_glance_tls"·id="guide-tree-leaf-idm4321"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_glance_tls">Check-Block-06:·Does·cinder·communicates·with·glance·over·TLS?65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cinder">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>High·level·overview·of·Cinder·STIG·settings·to·go·here!</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cinder"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_openstack"><td·style="padding-left:·57px"><small>contains·8·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_glance_tls"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_glance_tls"·id="guide-tree-leaf-idm4347"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_glance_tls">Check-Block-06:·Does·cinder·communicates·with·glance·over·TLS?
66 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_glance_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·previous·check·(Check-Block-05:·Does·cinder·communicates·with·nova·over·TLS?),·it·is·recommended·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol.66 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_glance_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·previous·check·(Check-Block-05:·Does·cinder·communicates·with·nova·over·TLS?),·it·is·recommended·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol.
  
67 <br>67 <br>
68 <br>68 <br>
69 Pass:·If·value·of·parameter·glance_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False.69 Pass:·If·value·of·parameter·glance_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False.
  
70 <br>70 <br>
71 <br>71 <br>
72 Fail:·If·value·of·parameter·glance_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 72 Fail:·If·value·of·parameter·glance_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
73 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 73 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
74 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 74 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
75 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4331">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4331"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·glance_api_insecure·False75 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4357">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4357"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·glance_api_insecure·False
76 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·id="guide-tree-leaf-idm4332"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">Check-Block-07:·Is·NAS·operating·in·secure·enviornment?76 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions"·id="guide-tree-leaf-idm4358"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">Check-Block-07:·Is·NAS·operating·in·secure·enviornment?
77 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Cinder·supports·an·NFS·driver·which·works·differently·than·a·traditional·block·storage·driver.·The·NFS·driver·does·not·actually·allow·an·instance·to·access·a·storage·device·at·the·block·level.·Instead,·files·are·created·on·an·NFS·share·and·mapped·to·instances,·which·emulates·a·block·device.·Cinder·supports·secure·configuration·for·such·files·by·controlling·the·file·permissions·when·cinder·volumes·are·created.·Cinder·configuration·can·also·control·whether·file·operations·are·run·as·the·root·user·or·the·current·OpenStack·process·user.77 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nas_secure_file_permissions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Cinder·supports·an·NFS·driver·which·works·differently·than·a·traditional·block·storage·driver.·The·NFS·driver·does·not·actually·allow·an·instance·to·access·a·storage·device·at·the·block·level.·Instead,·files·are·created·on·an·NFS·share·and·mapped·to·instances,·which·emulates·a·block·device.·Cinder·supports·secure·configuration·for·such·files·by·controlling·the·file·permissions·when·cinder·volumes·are·created.·Cinder·configuration·can·also·control·whether·file·operations·are·run·as·the·root·user·or·the·current·OpenStack·process·user.
  
78 <br>78 <br>
79 <br>79 <br>
80 Pass:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·auto,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·and·use·secure·file·permissions.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·insecure·method·of·handling·file·permissions.·If·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·“auto”,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·be·secure·and·do·NOT·run·as·the·root·user.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·method·of·running·operations·as·the·root·user.·For·new·installations,·a·“marker·file”·is·written·so·that·subsequent·restarts·of·cinder·will·know·what·the·original·determination·had·been.80 Pass:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·auto,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·and·use·secure·file·permissions.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·insecure·method·of·handling·file·permissions.·If·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·auto.·When·set·to·“auto”,·a·check·is·done·during·cinder·startup·to·determine·if·there·are·existing·cinder·volumes,·no·volumes·will·set·the·option·to·True,·be·secure·and·do·NOT·run·as·the·root·user.·The·detection·of·existing·volumes·will·set·the·option·to·False,·and·use·the·current·method·of·running·operations·as·the·root·user.·For·new·installations,·a·“marker·file”·is·written·so·that·subsequent·restarts·of·cinder·will·know·what·the·original·determination·had·been.
  
81 <br>81 <br>
82 <br>82 <br>
83 Fail:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False·and·if·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 83 Fail:·If·value·of·parameter·nas_secure_file_permissions·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False·and·if·value·of·parameter·nas_secure_file_operations·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
84 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 84 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
85 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 85 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
86 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_using_keystone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_using_keystone"·id="guide-tree-leaf-idm4342"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_using_keystone">Check-Block-03:·Is·keystone·used·for·authentication?86 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_using_keystone"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_using_keystone"·id="guide-tree-leaf-idm4368"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_using_keystone">Check-Block-03:·Is·keystone·used·for·authentication?
87 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_using_keystone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·supports·various·authentication·strategies·like·noauth,·keystone·etc.·If·the·‘noauth’·strategy·is·used·then·the·users·could·interact·with·OpenStack·services·without·any·authentication.·This·could·be·a·potential·risk·since·an·attacker·might·gain·unauthorized·access·to·the·OpenStack·components.·Thus·it·is·strongly·recommended·that·all·services·must·be·authenticated·with·keystone·using·their·service·accounts.87 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_using_keystone">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·supports·various·authentication·strategies·like·noauth,·keystone·etc.·If·the·‘noauth’·strategy·is·used·then·the·users·could·interact·with·OpenStack·services·without·any·authentication.·This·could·be·a·potential·risk·since·an·attacker·might·gain·unauthorized·access·to·the·OpenStack·components.·Thus·it·is·strongly·recommended·that·all·services·must·be·authenticated·with·keystone·using·their·service·accounts.
  
88 <br>88 <br>
89 <br>89 <br>
90 Pass:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·keystone.90 Pass:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·keystone.
  
91 <br>91 <br>
92 <br>92 <br>
93 Fail:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·is·set·to·noauth.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 93 Fail:·If·value·of·parameter·auth_strategy·under·[DEFAULT]·section·is·set·to·noauth.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
94 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 94 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
95 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 95 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
96 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4352">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4352"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone96 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4378">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4378"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone
97 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_tls_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_tls_enabled"·id="guide-tree-leaf-idm4353"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_tls_enabled">Check-Block-04:·Is·TLS·enabled·for·authentication?97 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nova_tls"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nova_tls"·id="guide-tree-leaf-idm4379"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nova_tls">Check-Block-05:·Does·cinder·communicates·with·nova·over·TLS?
 98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nova_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol.
  
 99 <br>
 100 <br>
 101 Pass:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False.
  
 102 <br>
 103 <br>
 104 Fail:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 105 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 106 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 107 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4389">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4389"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False
 108 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_tls_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_tls_enabled"·id="guide-tree-leaf-idm4390"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_tls_enabled">Check-Block-04:·Is·TLS·enabled·for·authentication?
98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_tls_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol.109 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_tls_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol.
99 <br>110 <br>
100 <br>111 <br>
101 Pass:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·https,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·Identity·API·endpoint·starting·with·https://·and·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·False.112 Pass:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·https,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·Identity·API·endpoint·starting·with·https://·and·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·False.
102 <br>113 <br>
103 <br>114 <br>
104 Fail:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·http,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·not·set·to·Identity·API·endpoint·starting·with·https://·or·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 115 Fail:·If·value·of·parameter·auth_protocol·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·set·to·http,·or·if·value·of·parameter·identity_uri·under·[keystone_authtoken]·section·in·/etc/cinder/cinder.conf·is·not·set·to·Identity·API·endpoint·starting·with·https://·or·value·of·parameter·insecure·under·the·same·[keystone_authtoken]·section·in·the·same·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
105 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 116 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
106 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 117 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
107 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4363">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4363"><pre><code>OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri)118 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4400">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4400"><pre><code>OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri)
108 NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}"119 NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}"
109 openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI120 openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI
  
110 OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri)121 OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri)
111 NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}"122 NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}"
112 openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI123 openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI
113 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_perms"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_perms"·id="guide-tree-leaf-idm4364"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_perms">Check-Block-02:·Are·strict·permissions·set·for·Compute·configuration·files?124 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_perms"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_perms"·id="guide-tree-leaf-idm4401"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_perms">Check-Block-02:·Are·strict·permissions·set·for·Compute·configuration·files?
114 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_perms">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·the·previous·check,·it·is·recommended·to·set·strict·access·permissions·for·such·configuration·files.125 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_perms">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Similar·to·the·previous·check,·it·is·recommended·to·set·strict·access·permissions·for·such·configuration·files.
115 <br>126 <br>
116 <br>127 <br>
117 Run·the·following·commands:128 Run·the·following·commands:
118 <br>129 <br>
119 <br>130 <br>
120 <code>131 <code>
Offset 155, 32 lines modifiedOffset 168, 19 lines modified
155 other········---168 other········---
156 </code>169 </code>
157 <br>170 <br>
158 <br>171 <br>
159 Fail:·If·permissions·are·not·set·to·at·least·640.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 172 Fail:·If·permissions·are·not·set·to·at·least·640.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
160 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 173 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
161 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 174 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
162 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4391">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4391"><pre><code>chmod·640·/etc/cinder/cinder.conf175 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4428">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4428"><pre><code>chmod·640·/etc/cinder/cinder.conf
163 chmod·640·/etc/cinder/api-paste.ini176 chmod·640·/etc/cinder/api-paste.ini
164 chmod·640·/etc/cinder/policy.json177 chmod·640·/etc/cinder/policy.json
165 chmod·640·/etc/cinder/rootwrap.conf178 chmod·640·/etc/cinder/rootwrap.conf
166 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_nova_tls"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_nova_tls"·id="guide-tree-leaf-idm4392"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_nova_tls">Check-Block-05:·Does·cinder·communicates·with·nova·over·TLS?179 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_ownership"·id="guide-tree-leaf-idm4429"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_ownership">Check-Block-01:·Is·user/group·ownership·of·config·files·set·to·root/cinder?
167 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_nova_tls">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>OpenStack·components·communicate·with·each·other·using·various·protocols·and·the·communication·might·involve·sensitive·/·confidential·data.·An·attacker·may·try·to·eavesdrop·on·the·channel·in·order·to·get·access·to·sensitive·information.·Thus·all·the·components·must·communicate·with·each·other·using·a·secured·communication·protocol. 
  
168 <br> 
169 <br> 
170 Pass:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·False. 
  
171 <br> 
172 <br> 
173 Fail:·If·value·of·parameter·nova_api_insecure·under·[DEFAULT]·section·in·/etc/cinder/cinder.conf·is·set·to·True.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
174 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
175 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
176 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4402">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4402"><pre><code>openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False 
177 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_cinder_file_ownership"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_cinder_file_ownership"·id="guide-tree-leaf-idm4403"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cinder"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_cinder_file_ownership">Check-Block-01:·Is·user/group·ownership·of·config·files·set·to·root/cinder? 
178 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_ownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Configuration·files·contain·critical·parameters·and·information·required·for·smooth·functioning·of·the·component.·If·an·unprivileged·user,·either·intentionally·or·accidentally,·modifies·or·deletes·any·of·the·parameters·or·the·file·itself·then·it·would·cause·severe·availability·issues·resulting·in·a·denial·of·service·to·the·other·end·users.·Thus·user·ownership·of·such·critical·configuration·files·must·be·set·to·root·and·group·ownership·must·be·set·to·cinder.180 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_cinder_file_ownership">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Configuration·files·contain·critical·parameters·and·information·required·for·smooth·functioning·of·the·component.·If·an·unprivileged·user,·either·intentionally·or·accidentally,·modifies·or·deletes·any·of·the·parameters·or·the·file·itself·then·it·would·cause·severe·availability·issues·resulting·in·a·denial·of·service·to·the·other·end·users.·Thus·user·ownership·of·such·critical·configuration·files·must·be·set·to·root·and·group·ownership·must·be·set·to·cinder.
179 <br>181 <br>
180 <br>182 <br>
181 Run·the·following·commands:183 Run·the·following·commands:
182 <br>184 <br>
183 <br>185 <br>
184 <code>186 <code>
Offset 196, 46 lines modifiedOffset 196, 46 lines modified
196 <br>196 <br>
197 Pass:·If·user·and·group·ownership·of·all·these·config·files·is·set·to·root·and·cinder·respectively.·The·above·commands·show·output·of·root·cinder.197 Pass:·If·user·and·group·ownership·of·all·these·config·files·is·set·to·root·and·cinder·respectively.·The·above·commands·show·output·of·root·cinder.
198 <br>198 <br>
199 <br>199 <br>
200 Fail:·If·the·above·commands·does·not·return·any·output·as·the·user·and·group·ownership·might·have·set·to·any·user·other·than·root·or·any·group·other·than·cinder.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 200 Fail:·If·the·above·commands·does·not·return·any·output·as·the·user·and·group·ownership·might·have·set·to·any·user·other·than·root·or·any·group·other·than·cinder.</p><span·class="label·label-primary">Rationale:</span><p></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
201 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 201 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
202 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 202 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-RHELOSP-CCE-TBD">CCE-RHELOSP-CCE-TBD</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
203 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4421">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4421"><pre><code>for·file·in·/etc/cinder/cinder.conf·\203 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">FOO-1(a)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm4447">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm4447"><pre><code>for·file·in·/etc/cinder/cinder.conf·\
204 »       »       /etc/cinder/api-paste.ini·\204 »       »       /etc/cinder/api-paste.ini·\
205 »       »       /etc/cinder/policy.json·\205 »       »       /etc/cinder/policy.json·\
Max diff block lines reached; 68940/98431 bytes (70.04%) of diff not shown.
253 KB
./usr/share/doc/ssg-nondebian/ssg-rhel6-PCIDSS-RHEL-6-guide-pci-dss_centric.html
    
Offset 1872, 21 lines modifiedOffset 1872, 39 lines modified
1872 ····<pre·xml:space="preserve">$·sudo·chmod·0644·/etc/passwd</pre>1872 ····<pre·xml:space="preserve">$·sudo·chmod·0644·/etc/passwd</pre>
1873 ············</p><span·class="label·label-primary">Rationale:</span><p>If·the·<code>/etc/passwd</code>·file·is·writable·by·a·group-owner·or·the1873 ············</p><span·class="label·label-primary">Rationale:</span><p>If·the·<code>/etc/passwd</code>·file·is·writable·by·a·group-owner·or·the
1874 world·the·risk·of·its·compromise·is·increased.·The·file·contains·the·list·of1874 world·the·risk·of·its·compromise·is·increased.·The·file·contains·the·list·of
1875 accounts·on·the·system·and·associated·information,·and·protection·of·this·file1875 accounts·on·the·system·and·associated·information,·and·protection·of·this·file
1876 is·critical·for·system·security.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 1876 is·critical·for·system·security.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
1877 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 1877 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
1878 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26868-0">CCE-26868-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 1878 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26868-0">CCE-26868-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
1879 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000225</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000041</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50257r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm65638">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65638"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>chmod·0644·/etc/passwd1879 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000225</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.7.c</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000041</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50257r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm65638">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65638"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>
1880 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm65639">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65639"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Ensure·permission·0644·on·/etc/passwd1880 chmod·0644·/etc/passwd
 1881 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm65639">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65639"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>
 1882 -·name:·Find·/etc/passwd·file(s)
 1883 ··find:
 1884 ····paths:·"{{·'/etc/passwd'·|·dirname·}}"
 1885 ····patterns:·"{{·'/etc/passwd'·|·basename·}}"
 1886 ··register:·files_found
 1887 ··tags:
 1888 ····-·file_permissions_etc_passwd
 1889 ····-·medium_severity
 1890 ····-·configure_strategy
 1891 ····-·low_complexity
 1892 ····-·low_disruption
 1893 ····-·CCE-26868-0
 1894 ····-·NIST-800-53-AC-6
 1895 ····-·PCI-DSS-Req-8.7.c
 1896 ····-·DISA-STIG-RHEL-06-000041
  
 1897 -·name:·Set·permissions
1881 ··file:1898 ··file:
1882 ····path="{{item}}"1899 ····path:·"{{·item.path·}}"
1883 ····mode=06441900 ····mode:·0644
1884 ··with_items:1901 ··with_items:
1885 ····-·/etc/passwd1902 ····-·"{{·files_found.files·}}"
1886 ··tags:1903 ··tags:
1887 ····-·file_permissions_etc_passwd1904 ····-·file_permissions_etc_passwd
1888 ····-·medium_severity1905 ····-·medium_severity
1889 ····-·configure_strategy1906 ····-·configure_strategy
1890 ····-·low_complexity1907 ····-·low_complexity
1891 ····-·low_disruption1908 ····-·low_disruption
1892 ····-·CCE-26868-01909 ····-·CCE-26868-0
Offset 2374, 157 lines modifiedOffset 2392, 15 lines modified
  
2374 }2392 }
  
2375 »       fix_audit_syscall_rule·"auditctl"·"$PATTERN"·"$GROUP"·"$ARCH"·"$FULL_RULE"2393 »       fix_audit_syscall_rule·"auditctl"·"$PATTERN"·"$GROUP"·"$ARCH"·"$FULL_RULE"
  
2376 done2394 done
2377 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-10.2.2">10.2.22395 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_pcidss-req-10.2.2">10.2.2
2378 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-10.2.2">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·actions·taken·by·any</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions"·id="guide-tree-leaf-idm65694"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions">Ensure·auditd·Collects·System·Administrator·Actions2396 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_pcidss-req-10.2.2">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·actions·taken·by·any</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands"·id="guide-tree-leaf-idm65694"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-10.2.2"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands">Ensure·auditd·Collects·Information·on·the·Use·of·Privileged·Commands
2379 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>At·a·minimum·the·audit·system·should·collect 
2380 administrator·actions·for·all·users·and·root.·Add·the·following·to 
2381 <code>/etc/audit/audit.rules</code>: 
2382 <pre>-w·/etc/sudoers·-p·wa·-k·actions</pre></p><span·class="label·label-primary">Rationale:</span><p>The·actions·taken·by·system·administrators·should·be·audited·to·keep·a·record 
2383 of·what·was·executed·on·the·system,·as·well·as,·for·accountability·purposes.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
2384 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
2385 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26662-7">CCE-26662-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
2386 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000126</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(7)(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(10)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-1(b)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.2</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.2.5.b</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000064</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000201</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50379r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm65716">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm65716"><pre><code> 
  
2387 #·Perform·the·remediation 
2388 #·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: 
2389 #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements 
2390 #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect 
2391 #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules 
2392 # 
2393 #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: 
2394 #·*·audit·tool»    »    »    »    tool·used·to·load·audit·rules, 
2395 #·»      »      »      »      »      either·'auditctl',·or·'augenrules' 
2396 #·*·path························» value·of·-w·audit·rule's·argument 
2397 #·*·required·access·bits········»   value·of·-p·audit·rule's·argument 
2398 #·*·key·························»  value·of·-k·audit·rule's·argument 
2399 # 
2400 #·Example·call: 
2401 # 
2402 #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" 
2403 # 
2404 function·fix_audit_watch_rule·{ 
  
2405 #·Load·function·arguments·into·local·variables 
2406 local·tool="$1" 
2407 local·path="$2" 
2408 local·required_access_bits="$3" 
2409 local·key="$4" 
  
2410 #·Check·sanity·of·the·input 
2411 if·[·$#·-ne·"4"·] 
2412 then 
2413 »       echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" 
2414 »       echo·"Aborting." 
2415 »       exit·1 
2416 fi 
  
2417 #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness 
2418 #·of·a·particular·audit·rule.·The·scheme·is·as·follows: 
2419 # 
2420 #·----------------------------------------------------------------------------------------- 
2421 #·Tool·used·to·load·audit·rules»      |·Rule·already·defined»   |··Audit·rules·file·to·inspect»   ··| 
2422 #·----------------------------------------------------------------------------------------- 
2423 #»      auditctl»      »      |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| 
2424 #·----------------------------------------------------------------------------------------- 
2425 #·»      augenrules»    »    |··········Yes»»|··/etc/audit/rules.d/*.rules»     ··| 
2426 #·»      augenrules»    »    |··········No» » |··/etc/audit/rules.d/$key.rules··| 
2427 #·----------------------------------------------------------------------------------------- 
2428 declare·-a·files_to_inspect 
  
2429 #·Check·sanity·of·the·specified·audit·tool 
2430 if·[·"$tool"·!=·'auditctl'·]·&amp;&amp;·[·"$tool"·!=·'augenrules'·] 
2431 then 
2432 »       echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." 
2433 »       echo·"Use·either·'auditctl'·or·'augenrules'!" 
2434 »       exit·1 
2435 #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' 
2436 #·into·the·list·of·files·to·be·inspected 
2437 elif·[·"$tool"·==·'auditctl'·] 
2438 then 
2439 »       files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') 
2440 #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined 
2441 #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. 
2442 #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. 
2443 elif·[·"$tool"·==·'augenrules'·] 
2444 then 
2445 »       #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file 
2446 »       #·Get·pair·--·filepath·:·matching_row·into·@matches·array 
2447 »       IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) 
2448 »       #·Reset·IFS·back·to·default 
2449 »       unset·IFS 
2450 »       #·For·each·of·the·matched·entries 
2451 »       for·match·in·"${matches[@]}" 
2452 »       do 
Max diff block lines reached; 241965/258533 bytes (93.59%) of diff not shown.
1.59 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-C2S.html
    
Offset 57, 46 lines modifiedOffset 57, 44 lines modified
57 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in57 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
61 quality,·reliability,·or·any·other·characteristic.61 quality,·reliability,·or·any·other·characteristic.
62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
63 ····························(as·of·2018-07-26)63 ····························(as·of·2018-07-26)
64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a[·...·truncated·by·diffoscope;·len:·1198,·SHA:·51cf316a1f51145ef5b84d4df33141a3708861da5f3329cf77ffa71a74c6142b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
74 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft74 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
75 Windows·systems.·There·are·two·software·packages·that·provide75 that·passwords·and·other·data·transmitted·during·the·session·can·be
76 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of76 captured·and·that·the·session·is·vulnerable·to·hijacking.
77 command·line·tools·that·enable·a·client·system·to·access·Samba77 Therefore,·running·the·FTP·server·software·is·not·recommended.
78 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba78 <br><br>
79 service.·It·is·this·second·package·that·allows·a·Linux·system·to79 However,·there·are·some·FTP·server·configurations·which·may
80 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a80 be·appropriate·for·some·environments,·particularly·those·which
81 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by81 allow·only·read-only·anonymous·access·as·a·means·of·downloading
82 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible82 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
84 will·remain·disabled.·Do·not·enable·this·service·unless·it·is84 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
85 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print85 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
86 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_samba_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_samba_removed"·id="guide-tree-leaf-idm28988"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_samba_removed">Uninstall·samba·Package 
87 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_samba_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> 
88 ············86 ············
89 ········The·<code>samba</code>·package·can·be·removed·with·the·following·command:87 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
90 ········<pre>$·sudo·yum·erase·samba</pre>88 ········<pre>$·sudo·yum·erase·vsftpd</pre>
91 ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·mount·directories·and·file·systems·to89 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
92 Windows·systems,·then·this·service·can·be·deleted·to·reduce·90 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
93 the·potential·attack·surface.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
94 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 91 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
95 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27102-3">CCE-27102-3</abbr></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm28995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.92 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 93 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
96 #94 #
97 #·Example·Call(s):95 #·Example·Call(s):
98 #96 #
99 #·····package_remove·telnet-server97 #·····package_remove·telnet-server
100 #98 #
101 function·package_remove·{99 function·package_remove·{
  
Offset 125, 60 lines modifiedOffset 123, 61 lines modified
125 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"123 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
126 ··echo·"Aborting."124 ··echo·"Aborting."
127 ··exit·1125 ··exit·1
128 fi126 fi
  
129 }127 }
  
130 package_remove·samba128 package_remove·vsftpd
131 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm28997">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28997"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·samba·is·removed129 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed
132 ··package:130 ··package:
133 ····name="{{item}}"131 ····name="{{item}}"
134 ····state=absent132 ····state=absent
135 ··with_items:133 ··with_items:
136 ····-·samba134 ····-·vsftpd
137 ··tags:135 ··tags:
138 ····-·package_samba_removed136 ····-·package_vsftpd_removed
139 ····-·unknown_severity137 ····-·unknown_severity
140 ····-·disable_strategy138 ····-·disable_strategy
141 ····-·low_complexity139 ····-·low_complexity
142 ····-·low_disruption140 ····-·low_disruption
143 ····-·CCE-27102-3141 ····-·CCE-26687-4
144 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm28998">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28998"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_samba142 ····-·NIST-800-53-CM-7
 143 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29107">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29107"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd
  
145 class·remove_samba·{144 class·remove_vsftpd·{
146 ··package·{·'samba':145 ··package·{·'vsftpd':
147 ····ensure·=&gt;·'purged',146 ····ensure·=&gt;·'purged',
148 ··}147 ··}
149 }148 }
150 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm28999">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28999"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>149 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
151 package·--remove=samba150 package·--remove=vsftpd
152 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server151 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server
153 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to152 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to
154 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant153 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant
155 security·risk·because:154 security·risk·because:
156 <br><br>155 <br><br>
157 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long156 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long
158 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive157 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive
159 monitoring</li></ul>158 monitoring</li></ul>
160 <br><br>159 <br><br>
161 The·system's·default·web·server·software·is·Apache·2·and·is160 The·system's·default·web·server·software·is·Apache·2·and·is
162 provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible161 provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible
163 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system162 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system
164 does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled163 does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled
165 and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm29137"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_httpd_removed">Uninstall·httpd·Package164 and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm29158"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_httpd_removed">Uninstall·httpd·Package
166 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>165 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
167 ············166 ············
168 ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command:167 ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command:
169 ········<pre>$·sudo·yum·erase·httpd</pre>168 ········<pre>$·sudo·yum·erase·httpd</pre>
170 ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available,169 ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available,
171 removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 170 removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
172 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 171 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
173 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27133-8">CCE-27133-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 172 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27133-8">CCE-27133-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
174 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29145">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29145"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.173 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29166">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29166"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
175 #174 #
176 #·Example·Call(s):175 #·Example·Call(s):
177 #176 #
178 #·····package_remove·telnet-server177 #·····package_remove·telnet-server
179 #178 #
180 function·package_remove·{179 function·package_remove·{
  
Offset 208, 90 lines modifiedOffset 207, 55 lines modified
208 ··echo·"Aborting."207 ··echo·"Aborting."
209 ··exit·1208 ··exit·1
210 fi209 fi
  
211 }210 }
  
212 package_remove·httpd211 package_remove·httpd
213 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29147">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29147"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·httpd·is·removed212 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29168">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29168"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·httpd·is·removed
214 ··package:213 ··package:
215 ····name="{{item}}"214 ····name="{{item}}"
216 ····state=absent215 ····state=absent
217 ··with_items:216 ··with_items:
218 ····-·httpd217 ····-·httpd
219 ··tags:218 ··tags:
220 ····-·package_httpd_removed219 ····-·package_httpd_removed
221 ····-·unknown_severity220 ····-·unknown_severity
222 ····-·disable_strategy221 ····-·disable_strategy
Max diff block lines reached; 1641676/1669443 bytes (98.34%) of diff not shown.
2.42 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-CS2.html
    
Offset 48, 46 lines modifiedOffset 48, 65 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a[·...·truncated·by·diffoscope;·len:·1198,·SHA:·51cf316a1f51145ef5b84d4df33141a3708861da5f3329cf77ffa71a74c6142b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
63 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server63 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
65 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft65 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
66 Windows·systems.·There·are·two·software·packages·that·provide66 that·passwords·and·other·data·transmitted·during·the·session·can·be
67 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of67 captured·and·that·the·session·is·vulnerable·to·hijacking.
68 command·line·tools·that·enable·a·client·system·to·access·Samba68 Therefore,·running·the·FTP·server·software·is·not·recommended.
69 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba69 <br><br>
70 service.·It·is·this·second·package·that·allows·a·Linux·system·to70 However,·there·are·some·FTP·server·configurations·which·may
71 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a71 be·appropriate·for·some·environments,·particularly·those·which
72 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by72 allow·only·read-only·anonymous·access·as·a·means·of·downloading
73 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible73 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
75 will·remain·disabled.·Do·not·enable·this·service·unless·it·is75 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
76 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print76 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29019"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions
77 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28973"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba77 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
78 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>78 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
 79 <pre>xferlog_enable=YES
 80 xferlog_std_format=NO
 81 log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to
 82 the·FTP·server·are·logged·using·the·verbose·vsftpd·log
 83 format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 84 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 85 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 86 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users
 87 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 88 by·default.·Add·or·correct·the·following·configuration·options:
 89 <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 90 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 91 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 92 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
 93 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
 94 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
 95 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
79 ············96 ············
80 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:97 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
81 ········<pre>$·sudo·chkconfig·smb·off</pre>98 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
82 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·a·Samba·server·provides·a·network-based·avenue·of·attack,·and99 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
83 should·be·disabled·if·not·needed.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 100 of·attack,·and·should·be·disabled·if·not·needed.
 101 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 102 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
84 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 103 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
85 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27143-7">CCE-27143-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 104 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26948-0">CCE-26948-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
86 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm28981">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28981"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.105 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
87 #106 #
88 #·Example·Call(s):107 #·Example·Call(s):
89 #108 #
90 #·····service_command·enable·bluetooth109 #·····service_command·enable·bluetooth
91 #·····service_command·disable·bluetooth.service110 #·····service_command·disable·bluetooth.service
92 #111 #
93 #·····Using·xinetd:112 #·····Using·xinetd:
Offset 154, 139 lines modifiedOffset 173, 125 lines modified
154 ··else173 ··else
155 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd174 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
156 ··fi175 ··fi
157 fi176 fi
  
158 }177 }
  
159 service_command·disable·smb178 service_command·disable·vsftpd
160 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm28983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·smb179 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd
161 ··service:180 ··service:
162 ····name="{{item}}"181 ····name="{{item}}"
163 ····enabled="no"182 ····enabled="no"
164 ····state="stopped"183 ····state="stopped"
165 ··register:·service_result184 ··register:·service_result
166 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"185 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
167 ··with_items:186 ··with_items:
168 ····-·smb187 ····-·vsftpd
169 ··tags:188 ··tags:
170 ····-·service_smb_disabled189 ····-·service_vsftpd_disabled
171 ····-·unknown_severity190 ····-·unknown_severity
172 ····-·disable_strategy191 ····-·disable_strategy
173 ····-·low_complexity192 ····-·low_complexity
174 ····-·low_disruption193 ····-·low_disruption
175 ····-·CCE-27143-7194 ····-·CCE-26948-0
176 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary195 ····-·NIST-800-53-CM-7
177 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in196 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
178 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a197 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
179 <code>[global]</code>·configuration·section·and·a·series·of·user198 ············
180 created·share·definition·sections·meant·to·describe·file·or·print199 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
181 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode200 ········<pre>$·sudo·yum·erase·vsftpd</pre>
182 and·allow·client·systems·to·access·local·home·directories·and201 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
183 printers.·It·is·recommended·that·these·settings·be·changed·or·that202 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
184 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_smb_server_disable_root"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smb_server_disable_root"·id="guide-tree-leaf-idm29046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_smb_server_disable_root">Disable·Root·Access·to·SMB·Shares 
185 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_smb_server_disable_root">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Administrators·should·not·use·administrator·accounts·to·access 
186 Samba·file·and·printer·shares.·Disable·the·root·user·and·the·wheel 
187 administrator·group: 
188 <pre>[<i>share</i>] 
189 ··invalid·users·=·root·@wheel</pre> 
190 If·administrator·accounts·cannot·be·disabled,·ensure·that·local·system 
191 passwords·and·Samba·service·passwords·do·not·match.</p><span·class="label·label-primary">Rationale:</span><p>Typically,·administrator·access·is·required·when·Samba·must·create·user·and 
192 system·accounts·and·shares.·Domain·member·servers·and·standalone·servers·may 
193 not·need·administrator·access·at·all.·If·that·is·the·case,·add·the·invalid 
194 users·parameter·to·<code>[global]</code>·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
195 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
196 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27533-9">CCE-27533-9</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient 
197 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
198 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
199 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
200 <pre>client·signing·=·mandatory</pre> 
201 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
202 signing·ensures·they·can 
203 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
204 man-in-the-middle·attacks·which·modify·SMB·packets·in 
205 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
206 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 203 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
207 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 204 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
208 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29067">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29067"><pre><code>######################################################################205 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
209 #By·Luke·"Brisk-OH"·Brisk206 #
210 #luke.brisk@boeing.com·or·luke.brisk@gmail.com207 #·Example·Call(s):
211 ######################################################################208 #
 209 #·····package_remove·telnet-server
Max diff block lines reached; 2499793/2532415 bytes (98.71%) of diff not shown.
1.63 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-CSCF-RHEL6-MLS.html
    
Offset 53, 278 lines modifiedOffset 53, 148 lines modified
53 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in53 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
54 this·guide·without·first·testing·them·in·a·non-operational·environment.·The54 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
55 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by55 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
56 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its56 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
57 quality,·reliability,·or·any·other·characteristic.57 quality,·reliability,·or·any·other·characteristic.
58 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>58 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
59 ····························(as·of·2018-07-26)59 ····························(as·of·2018-07-26)
60 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avah[·...·truncated·by·diffoscope;·len:·769,·SHA:·3124dfdf73350166f9f7cbf4323d48d584287410c4cd751c8ee8b136e9c820f6·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services60 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SS[·...·truncated·by·diffoscope;·len:·769,·SHA:·db505ea275ff2d5c2ba13f068156b97f7fb51fc9aa062d91c74450db7783e2d3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
61 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review61 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
62 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It62 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
63 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which63 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
64 ones·can·be·safely·disabled.64 ones·can·be·safely·disabled.
65 <br><br>65 <br><br>
66 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional66 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
67 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up67 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
68 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server68 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
70 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant70 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
71 security·risk·because:71 that·passwords·and·other·data·transmitted·during·the·session·can·be
72 <br><br>72 captured·and·that·the·session·is·vulnerable·to·hijacking.
73 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long73 Therefore,·running·the·FTP·server·software·is·not·recommended.
74 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive 
75 monitoring</li></ul> 
76 <br><br> 
77 The·system's·default·web·server·software·is·Apache·2·and·is 
78 provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_securing_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_securing_httpd">Secure·Apache·Configuration 
79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_securing_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>httpd</code>·configuration·file·is 
80 <code>/etc/httpd/conf/httpd.conf</code>.·Apply·the·recommendations·in·the·remainder 
81 of·this·section·to·this·file.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">Restrict·Web·Server·Information·Leakage 
82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>ServerTokens</code>·and·<code>ServerSignature</code>·directives·determine·how 
83 much·information·the·web·server·discloses·about·the·configuration·of·the 
84 system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·id="guide-tree-leaf-idm29164"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">Set·httpd·ServerTokens·Directive·to·Prod 
85 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p><code>ServerTokens·Prod</code>·restricts·information·in·page·headers,·returning·only·the·word·"Apache." 
86 <br><br>74 <br><br>
87 Add·or·correct·the·following·directive·in·<code>/etc/httpd/conf/httpd.conf</code>:75 However,·there·are·some·FTP·server·configurations·which·may
88 <pre>ServerTokens·Prod</pre></p><span·class="label·label-primary">Rationale:</span><p>Information·disclosed·to·clients·about·the·configuration·of·the·web·server·and·system·could·be·used76 be·appropriate·for·some·environments,·particularly·those·which
89 to·plan·an·attack·on·the·given·system.·This·information·disclosure·should·be·restricted·to·a·minimum.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 77 allow·only·read-only·anonymous·access·as·a·means·of·downloading
90 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 78 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
91 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27425-8">CCE-27425-8</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
92 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server">Configure·Operating·System·to·Protect·Web·Server80 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
93 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·following·configuration·steps·should·be·taken·on·the·system·which·hosts·the81 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
94 web·server,·in·order·to·provide·as·safe·an·environment·as·possible·for·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td·style="padding-left:·95px"><h3·id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access">Restrict·File·and·Directory·Access82 ············
95 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Minimize·access·to·critical·<code>httpd</code>·files·and·directories.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td·style="padding-left:·95px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files"·id="guide-tree-leaf-idm29226"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files">Set·Permissions·on·All·Configuration·File[·...·truncated·by·diffoscope;·len:·25,·SHA:·e3ab4a647280b91439ef7d7e7509dfb7de5dd424d7220d6c96067b3b5ad5d5e3·...·]83 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
96 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Set·permissions·on·the·web·server·configuration·files·to·640:84 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
97 <pre>$·sudo·chmod·640·/etc/httpd/conf/*</pre></p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·configuration·files·may·allow·an·unauthorized·user·or·attacker85 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
98 to·access·information·about·the·web·server·or·to·alter·the·server's·configuration·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 86 of·attack,·and·should·be·disabled·if·not·needed.
99 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 87 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
100 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27316-9">CCE-27316-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 88 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
101 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29233">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29233"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> 
102 chmod·0640·/etc/httpd/conf/* 
103 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29234">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29234"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> 
104 -·name:·Find·/etc/httpd/conf/*·file(s) 
105 ··find: 
106 ····paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" 
107 ····patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" 
108 ··register:·files_found 
109 ··tags: 
110 ····-·file_permissions_httpd_server_conf_files 
111 ····-·unknown_severity 
112 ····-·configure_strategy 
113 ····-·low_complexity 
114 ····-·low_disruption 
115 ····-·CCE-27316-9 
116 ····-·NIST-800-53-CM-7 
  
117 -·name:·Set·permissions 
118 ··file: 
119 ····path:·"{{·item.path·}}" 
120 ····mode:·0640 
121 ··with_items: 
122 ····-·"{{·files_found.files·}}" 
123 ··tags: 
124 ····-·file_permissions_httpd_server_conf_files 
125 ····-·unknown_severity 
126 ····-·configure_strategy 
127 ····-·low_complexity 
128 ····-·low_disruption 
129 ····-·CCE-27316-9 
130 ····-·NIST-800-53-CM-7 
131 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29237"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory 
132 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: 
133 <pre>$·sudo·chmod·700·/var/log/httpd/</pre> 
134 This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker 
135 to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
136 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 89 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
137 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27150-2">CCE-27150-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 90 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26948-0">CCE-26948-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
138 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software91 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
139 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. 
140 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious 
141 targets·of·network·attack. 
142 Ensure·that·systems·are·not·running·MTAs·unnecessarily, 
143 and·configure·needed·MTAs·as·defensively·as·possible. 
144 <br><br> 
145 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the 
146 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email 
147 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. 
148 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, 
149 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. 
150 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
151 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
152 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
153 <br><br> 
154 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software 
155 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. 
156 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by 
157 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. 
158 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients 
159 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only 
160 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29530"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening 
161 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following 
162 <code>inet_interfaces</code>·line·appears: 
163 <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages 
164 (such·as·cron·job·reports)·from·the·local·system·only, 
165 and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
166 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
167 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26780-7">CCE-26780-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
168 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000249</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed"·id="guide-tree-leaf-idm29625"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_sendmail_removed">Uninstall·Sendmail·Package 
169 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_sendmail_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Sendmail·is·not·the·default·mail·transfer·agent·and·is 
170 not·installed·by·default. 
  
171 ········The·<code>sendmail</code>·package·can·be·removed·with·the·following·command: 
172 ········<pre>$·sudo·yum·erase·sendmail</pre></p><span·class="label·label-primary">Rationale:</span><p>The·sendmail·software·was·not·developed·with·security·in·mind·and 
173 its·design·prevents·it·from·being·effectively·contained·by·SELinux.··Postfix 
174 should·be·used·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
175 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
176 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27515-6">CCE-27515-6</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
177 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000288</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50472r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29636">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29636"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
Max diff block lines reached; 1677183/1710229 bytes (98.07%) of diff not shown.
255 KB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-default.html
    
Offset 48, 89 lines modifiedOffset 48, 44 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·S[·...·truncated·by·diffoscope;·len:·1394,·SHA:·f9605989138a055136c42bc085f02de0147473f760d936bba4f0446adaf588d9·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li[·...·truncated·by·diffoscope;·len:·1394,·SHA:·9a1bfb5c7765341b73597905fe9f3f980e67a77f0272acdc04afd633558c2516·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
58 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It58 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
60 ones·can·be·safely·disabled.60 ones·can·be·safely·disabled.
61 <br><br>61 <br><br>
62 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional62 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
63 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up63 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
66 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft66 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
67 Windows·systems.·There·are·two·software·packages·that·provide67 that·passwords·and·other·data·transmitted·during·the·session·can·be
68 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of68 captured·and·that·the·session·is·vulnerable·to·hijacking.
69 command·line·tools·that·enable·a·client·system·to·access·Samba69 Therefore,·running·the·FTP·server·software·is·not·recommended.
70 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba70 <br><br>
71 service.·It·is·this·second·package·that·allows·a·Linux·system·to71 However,·there·are·some·FTP·server·configurations·which·may
72 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a72 be·appropriate·for·some·environments,·particularly·those·which
73 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by73 allow·only·read-only·anonymous·access·as·a·means·of·downloading
74 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible74 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
75 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it75 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
76 will·remain·disabled.·Do·not·enable·this·service·unless·it·is76 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
77 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print77 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP
78 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary78 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to
79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in79 do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an
80 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a80 identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
81 <code>[global]</code>·configuration·section·and·a·series·of·user81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and
82 created·share·definition·sections·meant·to·describe·file·or·print82 set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
83 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
84 and·allow·client·systems·to·access·local·home·directories·and84 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server
85 printers.·It·is·recommended·that·these·settings·be·changed·or·that 
86 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_disable_printing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_disable_printing">Restrict·Printer·Sharing 
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_disable_printing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·Samba·utilizes·the·CUPS·printing·service·to·enable 
88 printer·sharing·with·Microsoft·Windows·workstations.·If·there·are·no·printers 
89 on·the·local·system,·or·if·printer·sharing·with·Microsoft·Windows·is·not 
90 required,·disable·the·printer·sharing·capability·by·commenting·out·the 
91 following·lines,·found·in·<code>/etc/samba/smb.conf</code>: 
92 <pre>[global] 
93 ··load·printers·=·yes 
94 ··cups·options·=·raw 
95 [printers] 
96 ··comment·=·All·Printers 
97 ··path·=·/usr/spool/samba 
98 ··browseable·=·no 
99 ··guest·ok·=·no 
100 ··writable·=·no 
101 ··printable·=·yes</pre> 
102 There·may·be·other·options·present,·but·these·are·the·only·options·enabled·and 
103 uncommented·by·default.·Removing·the·<code>[printers]</code>·share·should·be·enough 
104 for·most·users.··If·the·Samba·printer·sharing·capability·is·needed,·consider 
105 disabling·the·Samba·network·browsing·capability·or·restricting·access·to·a 
106 particular·set·of·users·or·network·addresses.·Set·the·<code>valid·users</code> 
107 parameter·to·a·small·subset·of·users·or·restrict·it·to·a·particular·group·of 
108 users·with·the·shorthand·<code>@</code>.·Separate·each·user·or·group·of·users·with 
109 a·space.·For·example,·under·the·<code>[printers]</code>·share: 
110 <pre>[printers] 
111 ··valid·users·=·user·@printerusers</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">Restrict·SMB·File·Sharing·to·Configured·Networks 
112 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Only·users·with·local·user·accounts·will·be·able·to·log·in·to 
113 Samba·shares·by·default.·Shares·can·be·limited·to·particular·users·or·network 
114 addresses.·Use·the·<code>hosts·allow</code>·and·<code>hosts·deny</code>·directives 
115 accordingly,·and·consider·setting·the·valid·users·directive·to·a·limited·subset 
116 of·users·or·to·a·group·of·users.·Separate·each·address,·user,·or·user·group 
117 with·a·space·as·follows·for·a·particular·<i>share</i>·or·global: 
118 <pre>[<i>share</i>] 
119 ··hosts·allow·=·192.168.1.·127.0.0.1 
120 ··valid·users·=·userone·usertwo·@usergroup</pre> 
121 It·is·also·possible·to·limit·read·and·write·access·to·particular·users·with·the 
122 read·list·and·write·list·options,·though·the·permissions·set·by·the·system 
123 itself·will·override·these·settings.·Set·the·read·only·attribute·for·each·share 
124 to·ensure·that·global·settings·will·not·accidentally·override·the·individual 
125 share·settings.·Then,·as·with·the·valid·users·directive,·separate·each·user·or 
126 group·of·users·with·a·space: 
127 <pre>[<i>share</i>] 
128 ··read·only·=·yes 
129 ··write·list·=·userone·usertwo·@usergroup</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server 
130 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to85 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to
131 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant86 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant
132 security·risk·because:87 security·risk·because:
133 <br><br>88 <br><br>
134 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long89 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long
135 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive90 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive
136 monitoring</li></ul>91 monitoring</li></ul>
Offset 343, 165 lines modifiedOffset 298, 179 lines modified
343 <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration298 <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration
344 <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery)299 <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery)
345 <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization300 <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization
346 <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies301 <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies
347 <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting302 <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting
348 <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul>303 <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul>
349 Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk304 Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk
350 by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software305 by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server
351 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network.306 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at
352 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious307 least·one·nameserver.·However,·there·are·many·common·attacks
353 targets·of·network·attack.308 involving·DNS·server·software,·and·this·server·software·should
354 Ensure·that·systems·are·not·running·MTAs·unnecessarily,309 be·disabled·on·any·system
355 and·configure·needed·MTAs·as·defensively·as·possible.310 on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services
356 <br><br>311 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server
357 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the312 from·interfering·with·other·services.·This·is·done·both·to·protect·the
358 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email313 remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct
359 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3.314 attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail
360 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email,315 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package:
361 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator.316 <pre>$·sudo·yum·install·bind-chroot</pre>
362 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from317 Place·a·valid·named.conf·file·inside·the·chroot·jail:
363 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account),318 <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf
364 but·the·system·still·cannot·receive·mail·directly·over·a·network.319 $·sudo·chown·root:root·/var/named/chroot/etc/named.conf
365 <br><br>320 $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre>
366 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software321 Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the
367 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred.322 options·directive.·If·your·<code>named.conf</code>·includes:
368 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by323 <pre>options·{
369 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions.324 directory·"/path/to/DIRNAME·";
370 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients325 ...
371 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only326 }</pre>
372 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_harden_os"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_harden_os"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_harden_os">Configure·Operating·System·to·Protect·Mail·Server327 then·copy·that·directory·and·its·contents·from·the·original·zone·directory:
373 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_harden_os">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·guidance·in·this·section·is·appropriate·for·any·host·which·is328 <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre>
374 operating·as·a·site·MTA,·whether·the·mail·server·runs·using·Sendmail,·Postfix,329 Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>:
375 or·some·other·software.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs">Configure·SSL·Certificates·for·Use·with·SMTP·AUTH330 <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers
376 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·SMTP·AUTH·is·to·be·used,·the·use·of·SSL·to·protect·credentials·in·transit·is·strongly·recommended.331 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is
377 There·are·also·configurations·for·which·it·may·be·desirable·to·encrypt·all·mail·in·transit·from·one·MTA·to·another,332 a·high-risk·service·which·must·frequently·be·made·available·to·the·entire
378 though·such·configurations·are·beyond·the·scope·of·this·guide.·In·either·event,·the·steps·for·creating·and·installing333 Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by
379 an·SSL·certificate·are·independent·of·the·MTA·in·use,·and·are·described·here.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_install_ssl_cert"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"><td·style="padding-left:·95px"><h3·id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert">Ensure·Security·of·Postfix·SSL·Certificate334 machines·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack
Max diff block lines reached; 198673/260554 bytes (76.25%) of diff not shown.
1.68 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-desktop.html
    
Offset 49, 46 lines modifiedOffset 49, 46 lines modified
49 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in49 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
50 this·guide·without·first·testing·them·in·a·non-operational·environment.·The50 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
51 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by51 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
52 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its52 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
53 quality,·reliability,·or·any·other·characteristic.53 quality,·reliability,·or·any·other·characteristic.
54 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>54 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
55 ····························(as·of·2018-07-26)55 ····························(as·of·2018-07-26)
56 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·1034,·SHA:·985d77cbb1354040badea5ab3b500f53cf1a38fb7eaccb8d6cd1d71f33e9ba4b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services56 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1034,·SHA:·1b10be6148833f42610be20bd7d90e370d8d04968a079fa39af8874411e4f268·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
58 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It58 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
60 ones·can·be·safely·disabled.60 ones·can·be·safely·disabled.
61 <br><br>61 <br><br>
62 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional62 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
63 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up63 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
66 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft66 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
67 Windows·systems.·There·are·two·software·packages·that·provide67 that·passwords·and·other·data·transmitted·during·the·session·can·be
68 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of68 captured·and·that·the·session·is·vulnerable·to·hijacking.
69 command·line·tools·that·enable·a·client·system·to·access·Samba69 Therefore,·running·the·FTP·server·software·is·not·recommended.
70 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba70 <br><br>
71 service.·It·is·this·second·package·that·allows·a·Linux·system·to71 However,·there·are·some·FTP·server·configurations·which·may
72 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a72 be·appropriate·for·some·environments,·particularly·those·which
73 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by73 allow·only·read-only·anonymous·access·as·a·means·of·downloading
74 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible74 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
75 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it75 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
76 will·remain·disabled.·Do·not·enable·this·service·unless·it·is76 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
77 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print77 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
78 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28973"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba 
79 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> 
80 ············78 ············
81 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:79 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
82 ········<pre>$·sudo·chkconfig·smb·off</pre>80 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
83 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·a·Samba·server·provides·a·network-based·avenue·of·attack,·and81 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
84 should·be·disabled·if·not·needed.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 82 of·attack,·and·should·be·disabled·if·not·needed.
 83 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 84 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
85 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 85 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
86 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27143-7">CCE-27143-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 86 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26948-0">CCE-26948-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
87 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm28981">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28981"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.87 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
88 #88 #
89 #·Example·Call(s):89 #·Example·Call(s):
90 #90 #
91 #·····service_command·enable·bluetooth91 #·····service_command·enable·bluetooth
92 #·····service_command·disable·bluetooth.service92 #·····service_command·disable·bluetooth.service
93 #93 #
94 #·····Using·xinetd:94 #·····Using·xinetd:
Offset 155, 127 lines modifiedOffset 155, 125 lines modified
155 ··else155 ··else
156 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd156 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
157 ··fi157 ··fi
158 fi158 fi
  
159 }159 }
  
160 service_command·disable·smb160 service_command·disable·vsftpd
161 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm28983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·smb161 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd
162 ··service:162 ··service:
163 ····name="{{item}}"163 ····name="{{item}}"
164 ····enabled="no"164 ····enabled="no"
165 ····state="stopped"165 ····state="stopped"
166 ··register:·service_result166 ··register:·service_result
167 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"167 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
168 ··with_items:168 ··with_items:
169 ····-·smb169 ····-·vsftpd
170 ··tags:170 ··tags:
171 ····-·service_smb_disabled171 ····-·service_vsftpd_disabled
172 ····-·unknown_severity172 ····-·unknown_severity
173 ····-·disable_strategy173 ····-·disable_strategy
174 ····-·low_complexity174 ····-·low_complexity
175 ····-·low_disruption175 ····-·low_disruption
176 ····-·CCE-27143-7176 ····-·CCE-26948-0
177 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary177 ····-·NIST-800-53-CM-7
178 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in178 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
179 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a179 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
180 <code>[global]</code>·configuration·section·and·a·series·of·user180 ············
181 created·share·definition·sections·meant·to·describe·file·or·print181 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
182 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode182 ········<pre>$·sudo·yum·erase·vsftpd</pre>
183 and·allow·client·systems·to·access·local·home·directories·and183 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
184 printers.·It·is·recommended·that·these·settings·be·changed·or·that184 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
185 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient 
186 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
187 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
188 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
189 <pre>client·signing·=·mandatory</pre> 
190 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
191 signing·ensures·they·can 
192 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
193 man-in-the-middle·attacks·which·modify·SMB·packets·in 
194 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
195 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 185 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
196 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 186 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
197 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29067">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29067"><pre><code>######################################################################187 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
198 #By·Luke·"Brisk-OH"·Brisk188 #
199 #luke.brisk@boeing.com·or·luke.brisk@gmail.com189 #·Example·Call(s):
200 ######################################################################190 #
 191 #·····package_remove·telnet-server
 192 #
 193 function·package_remove·{
  
201 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)194 #·Load·function·arguments·into·local·variables
 195 local·package="$1"
  
202 if·[·"$CLIENTSIGNING"·-eq·0·];··then196 #·Check·sanity·of·the·input
203 »       #·Add·to·global·section197 if·[·$#·-ne·"1"·]
204 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf198 then
 199 ··echo·"Usage:·package_remove·'package_name'"
 200 ··echo·"Aborting."
 201 ··exit·1
 202 fi
  
 203 if·which·dnf·;·then
 204 ··if·rpm·-q·--quiet·"$package";·then
 205 ····dnf·remove·-y·"$package"
 206 ··fi
 207 elif·which·yum·;·then
 208 ··if·rpm·-q·--quiet·"$package";·then
 209 ····yum·remove·-y·"$package"
 210 ··fi
 211 elif·which·apt-get·;·then
 212 ··apt-get·remove·-y·"$package"
205 else213 else
206 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf214 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 215 ··echo·"Aborting."
 216 ··exit·1
207 fi217 fi
Max diff block lines reached; 1730156/1756860 bytes (98.48%) of diff not shown.
1.64 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-fisma-medium-rhel6-server.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·[·...·truncated·by·diffoscope;·len:·81,·SHA:·e40bd79f1fd9eb150f341bd639fb375c20752df2c72fcb82d1b970a8a17b24d7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·81,·SHA:·4c0efd7fd5ff299a2185037a736930f562109fd8f8ac833d06c44618aa2adc79·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 83, 15 lines modifiedOffset 83, 15 lines modified
83 <br><br>83 <br><br>
84 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP84 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP
85 servers,·and·the·remainder·obtaining·time·information·from·those85 servers,·and·the·remainder·obtaining·time·information·from·those
86 internal·servers.86 internal·servers.
87 <br><br>87 <br><br>
88 More·information·on·how·to·configure·the·NTP·server·software,88 More·information·on·how·to·configure·the·NTP·server·software,
89 including·configuration·of·cryptographic·authentication·for89 including·configuration·of·cryptographic·authentication·for
90 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29915"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon90 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon
91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
92 ··········92 ··········
93 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:93 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
94 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>94 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>
95 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>95 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>
96 service·will·be·running·and·that·the·system·will·synchronize·its·time·to96 service·will·be·running·and·that·the·system·will·synchronize·its·time·to
97 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be97 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be
Offset 101, 15 lines modifiedOffset 101, 15 lines modified
101 logs·and·auditing·possible·security·breaches.··101 logs·and·auditing·possible·security·breaches.··
102 <br><br>102 <br><br>
103 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·103 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·
104 deprecated.··Additional·information·on·this·is·available·at·104 deprecated.··Additional·information·on·this·is·available·at·
105 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 105 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
106 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 106 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
107 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 107 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
108 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29934">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29934"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.108 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
109 #109 #
110 #·Example·Call(s):110 #·Example·Call(s):
111 #111 #
112 #·····service_command·enable·bluetooth112 #·····service_command·enable·bluetooth
113 #·····service_command·disable·bluetooth.service113 #·····service_command·disable·bluetooth.service
114 #114 #
115 #·····Using·xinetd:115 #·····Using·xinetd:
Offset 177, 15 lines modifiedOffset 177, 15 lines modified
177 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd177 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
178 ··fi178 ··fi
179 fi179 fi
  
180 }180 }
  
181 service_command·enable·ntpd181 service_command·enable·ntpd
182 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd182 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd
183 ··service:183 ··service:
184 ····name="{{item}}"184 ····name="{{item}}"
185 ····enabled="yes"185 ····enabled="yes"
186 ····state="started"186 ····state="started"
187 ··with_items:187 ··with_items:
188 ····-·ntpd188 ····-·ntpd
189 ··tags:189 ··tags:
Offset 194, 37 lines modifiedOffset 194, 252 lines modified
194 ····-·enable_strategy194 ····-·enable_strategy
195 ····-·low_complexity195 ····-·low_complexity
196 ····-·low_disruption196 ····-·low_disruption
197 ····-·CCE-27093-4197 ····-·CCE-27093-4
198 ····-·NIST-800-53-AU-8(1)198 ····-·NIST-800-53-AU-8(1)
199 ····-·PCI-DSS-Req-10.4199 ····-·PCI-DSS-Req-10.4
200 ····-·DISA-STIG-RHEL-06-000247200 ····-·DISA-STIG-RHEL-06-000247
201 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29941"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers201 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29887"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers
202 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization202 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization
203 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the203 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the
204 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for204 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for
205 <em>ntpserver</em>:205 <em>ntpserver</em>:
206 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of206 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of
207 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes207 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes
208 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for208 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for
209 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 209 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
210 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 210 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
211 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 211 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
212 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29954"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server212 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29900"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server
213 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit213 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit
214 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,214 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,
215 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:215 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:
216 <pre>server·<i>ntpserver</i></pre>216 <pre>server·<i>ntpserver</i></pre>
217 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time217 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time
218 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible218 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible
219 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with219 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with
220 real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 220 real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
221 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 221 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
222 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 222 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27098-3">CCE-27098-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
223 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services223 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000248</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons
 224 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to
 225 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost
 226 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or
 227 may·not·be·required·on·a·given·system.·Both·daemons·should·be
 228 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm30128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service
 229 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at
 230 preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary
 231 maintenance·tasks,·such·as·notifying·root·of·system·activity.
  
 232 ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command:
 233 ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks,
 234 enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 235 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 236 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27070-2">CCE-27070-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 237 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000224</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm30140">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30140"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 238 #
 239 #·Example·Call(s):
 240 #
 241 #·····service_command·enable·bluetooth
 242 #·····service_command·disable·bluetooth.service
 243 #
 244 #·····Using·xinetd:
 245 #·····service_command·disable·rsh.socket·xinetd=rsh
 246 #
 247 function·service_command·{
  
 248 #·Load·function·arguments·into·local·variables
 249 local·service_state=$1
 250 local·service=$2
 251 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 252 #·Check·sanity·of·the·input
 253 if·[·$#·-lt·"2"·]
Max diff block lines reached; 1682618/1716627 bytes (98.02%) of diff not shown.
1.51 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-ftp-server.html
    
Offset 48, 23 lines modifiedOffset 48, 146 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="[·...·truncated·by·diffoscope;·len:·734,·SHA:·1f08c4e9f3a384d6ec4b26a81613c923ba42116513facbf12303cf00da55fab1·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="[·...·truncated·by·diffoscope;·len:·734,·SHA:·25c03cfca8c8e7566953764cd9421d66561e88aec462809a5f7eec462db2bd40·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
63 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server63 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
 64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
 65 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
 66 that·passwords·and·other·data·transmitted·during·the·session·can·be
 67 captured·and·that·the·session·is·vulnerable·to·hijacking.
 68 Therefore,·running·the·FTP·server·software·is·not·recommended.
 69 <br><br>
 70 However,·there·are·some·FTP·server·configurations·which·may
 71 be·appropriate·for·some·environments,·particularly·those·which
 72 allow·only·read-only·anonymous·access·as·a·means·of·downloading
 73 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
 74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
 75 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
 76 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP
 77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to
 78 do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an
 79 identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm28977"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible
 80 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than
 81 using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option:
 82 <pre>local_enable=NO</pre>
 83 If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure
 84 these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 85 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 86 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27115-5">CCE-27115-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 87 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition"·id="guide-tree-leaf-idm29014"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_home_partition">Place·the·FTP·Home·Directory·on·its·Own·Partition
 88 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can
 89 be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent
 90 these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 91 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 92 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27411-8">CCE-27411-8</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29019"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions
 93 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
 94 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
 95 <pre>xferlog_enable=YES
 96 xferlog_std_format=NO
 97 log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to
 98 the·FTP·server·are·logged·using·the·verbose·vsftpd·log
 99 format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 100 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 101 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 102 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·id="guide-tree-leaf-idm29035"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads">Disable·FTP·Uploads·if·Possible
 103 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not,
 104 edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options:
 105 <pre>write_enable=NO</pre>
 106 If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions
 107 as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less
 108 common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it
 109 is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 110 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 111 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27117-1">CCE-27117-1</abbr></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users
 112 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 113 by·default.·Add·or·correct·the·following·configuration·options:
 114 <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 115 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 116 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 117 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
 118 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and
 119 set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29061"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package
 120 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels.
 121 <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security
 122 and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 123 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 124 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27187-4">CCE-27187-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 125 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29069">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29069"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 126 #
 127 #·Example·Call(s):
 128 #
 129 #·····package_install·aide
 130 #
 131 function·package_install·{
  
 132 #·Load·function·arguments·into·local·variables
 133 local·package="$1"
  
 134 #·Check·sanity·of·the·input
 135 if·[·$#·-ne·"1"·]
 136 then
 137 ··echo·"Usage:·package_install·'package_name'"
 138 ··echo·"Aborting."
 139 ··exit·1
 140 fi
  
 141 if·which·dnf·;·then
 142 ··if·!·rpm·-q·--quiet·"$package";·then
 143 ····dnf·install·-y·"$package"
 144 ··fi
 145 elif·which·yum·;·then
 146 ··if·!·rpm·-q·--quiet·"$package";·then
 147 ····yum·install·-y·"$package"
 148 ··fi
 149 elif·which·apt-get·;·then
 150 ··apt-get·install·-y·"$package"
 151 else
 152 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 153 ··echo·"Aborting."
 154 ··exit·1
 155 fi
  
 156 }
  
 157 package_install·vsftpd
 158 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29071">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29071"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·installed
 159 ··package:
 160 ····name="{{item}}"
 161 ····state=present
 162 ··with_items:
 163 ····-·vsftpd
 164 ··tags:
 165 ····-·package_vsftpd_installed
 166 ····-·unknown_severity
 167 ····-·enable_strategy
 168 ····-·low_complexity
 169 ····-·low_disruption
Max diff block lines reached; 1556352/1584645 bytes (98.21%) of diff not shown.
2.12 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-nist-CL-IL-AL.html
    
Offset 53, 128 lines modifiedOffset 53, 127 lines modified
53 this·guide·without·first·testing·them·in·a·non-operational·environment.·The53 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
54 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by54 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
55 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its55 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
56 quality,·reliability,·or·any·other·characteristic.56 quality,·reliability,·or·any·other·characteristic.
57 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat·57 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat·
58 Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>58 Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
59 ····························(as·of·2018-07-26)59 ····························(as·of·2018-07-26)
60 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org[·...·truncated·by·diffoscope;·len:·879,·SHA:·21ff6503618adec4c4c9c4a0ed6e669d5b889b87c0da4727c50ebdf28eb0b4ae·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services60 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org[·...·truncated·by·diffoscope;·len:·879,·SHA:·a9e3098c4894efb85e37b60670bbc0450483217500119b1f1ca43a0e1222a6a3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
61 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review61 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
62 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It62 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
63 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which63 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
64 ones·can·be·safely·disabled.64 ones·can·be·safely·disabled.
65 <br><br>65 <br><br>
66 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional66 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
67 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up67 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
68 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server68 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
70 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft70 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
71 Windows·systems.·There·are·two·software·packages·that·provide71 that·passwords·and·other·data·transmitted·during·the·session·can·be
72 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of72 captured·and·that·the·session·is·vulnerable·to·hijacking.
73 command·line·tools·that·enable·a·client·system·to·access·Samba73 Therefore,·running·the·FTP·server·software·is·not·recommended.
74 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba74 <br><br>
75 service.·It·is·this·second·package·that·allows·a·Linux·system·to75 However,·there·are·some·FTP·server·configurations·which·may
76 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a76 be·appropriate·for·some·environments,·particularly·those·which
77 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by77 allow·only·read-only·anonymous·access·as·a·means·of·downloading
78 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary78 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
80 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a80 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
81 <code>[global]</code>·configuration·section·and·a·series·of·user81 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
82 created·share·definition·sections·meant·to·describe·file·or·print82 ············
83 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode83 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
84 and·allow·client·systems·to·access·local·home·directories·and84 ········<pre>$·sudo·yum·erase·vsftpd</pre>
85 printers.·It·is·recommended·that·these·settings·be·changed·or·that85 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
86 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient86 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
87 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
88 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
89 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
90 <pre>client·signing·=·mandatory</pre> 
91 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
92 signing·ensures·they·can 
93 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
94 man-in-the-middle·attacks·which·modify·SMB·packets·in 
95 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
96 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 87 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
97 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 88 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
98 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29067">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29067"><pre><code>######################################################################89 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
99 #By·Luke·"Brisk-OH"·Brisk90 #
100 #luke.brisk@boeing.com·or·luke.brisk@gmail.com91 #·Example·Call(s):
101 ######################################################################92 #
 93 #·····package_remove·telnet-server
 94 #
 95 function·package_remove·{
  
102 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)96 #·Load·function·arguments·into·local·variables
 97 local·package="$1"
  
103 if·[·"$CLIENTSIGNING"·-eq·0·];··then98 #·Check·sanity·of·the·input
104 »       #·Add·to·global·section99 if·[·$#·-ne·"1"·]
105 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf100 then
 101 ··echo·"Usage:·package_remove·'package_name'"
 102 ··echo·"Aborting."
 103 ··exit·1
 104 fi
  
 105 if·which·dnf·;·then
 106 ··if·rpm·-q·--quiet·"$package";·then
 107 ····dnf·remove·-y·"$package"
 108 ··fi
 109 elif·which·yum·;·then
 110 ··if·rpm·-q·--quiet·"$package";·then
 111 ····yum·remove·-y·"$package"
 112 ··fi
 113 elif·which·apt-get·;·then
 114 ··apt-get·remove·-y·"$package"
106 else115 else
107 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf116 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 117 ··echo·"Aborting."
 118 ··exit·1
108 fi119 fi
109 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29068">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29068"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists 
110 ··stat: 
111 ····path:·/etc/samba/smb.conf 
112 ··register:·st_smb 
113 ··tags: 
114 ····-·require_smb_client_signing 
115 ····-·unknown_severity 
116 ····-·configure_strategy 
117 ····-·low_complexity 
118 ····-·medium_disruption 
119 ····-·CCE-26328-5 
120 ····-·DISA-STIG-RHEL-06-000272 
  
121 -·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient120 }
122 ··lineinfile: 
123 ····dest:·/etc/samba/smb.conf121 package_remove·vsftpd
124 ····line:·client·signing·=·mandatory122 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29106">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29106"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed
125 ····state:·present123 ··package:
126 ····insertafter:·[global]124 ····name="{{item}}"
127 ··when:·st_smb.stat.exists125 ····state=absent
 126 ··with_items:
 127 ····-·vsftpd
128 ··tags:128 ··tags:
129 ····-·require_smb_client_signing129 ····-·package_vsftpd_removed
130 ····-·unknown_severity130 ····-·unknown_severity
131 ····-·configure_strategy131 ····-·disable_strategy
132 ····-·low_complexity132 ····-·low_complexity
133 ····-·medium_disruption133 ····-·low_disruption
134 ····-·CCE-26328-5134 ····-·CCE-26687-4
135 ····-·DISA-STIG-RHEL-06-000272135 ····-·NIST-800-53-CM-7
136 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29073"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs136 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29107">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29107"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd
137 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba 
138 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares137 class·remove_vsftpd·{
139 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either138 ··package·{·'vsftpd':
140 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.139 ····ensure·=&gt;·'purged',
141 <br><br>140 ··}
142 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba141 }
143 client·should·only·communicate·with·servers·who·can·support·SMB142 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
144 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle143 package·--remove=vsftpd
145 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 144 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server
146 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
147 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
148 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server 
149 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to145 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to
150 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant146 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant
151 security·risk·because:147 security·risk·because:
152 <br><br>148 <br><br>
153 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long149 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long
Max diff block lines reached; 2195256/2220209 bytes (98.88%) of diff not shown.
846 KB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-pci-dss.html
    
Offset 48, 15 lines modifiedOffset 48, 15 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 83, 15 lines modifiedOffset 83, 15 lines modified
83 <br><br>83 <br><br>
84 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP84 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP
85 servers,·and·the·remainder·obtaining·time·information·from·those85 servers,·and·the·remainder·obtaining·time·information·from·those
86 internal·servers.86 internal·servers.
87 <br><br>87 <br><br>
88 More·information·on·how·to·configure·the·NTP·server·software,88 More·information·on·how·to·configure·the·NTP·server·software,
89 including·configuration·of·cryptographic·authentication·for89 including·configuration·of·cryptographic·authentication·for
90 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29915"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon90 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon
91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
92 ··········92 ··········
93 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:93 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
94 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>94 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>
95 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>95 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>
96 service·will·be·running·and·that·the·system·will·synchronize·its·time·to96 service·will·be·running·and·that·the·system·will·synchronize·its·time·to
97 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be97 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be
Offset 101, 15 lines modifiedOffset 101, 15 lines modified
101 logs·and·auditing·possible·security·breaches.··101 logs·and·auditing·possible·security·breaches.··
102 <br><br>102 <br><br>
103 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·103 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·
104 deprecated.··Additional·information·on·this·is·available·at·104 deprecated.··Additional·information·on·this·is·available·at·
105 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 105 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
106 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 106 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
107 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 107 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27093-4">CCE-27093-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
108 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29934">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29934"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.108 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000247</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29880">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29880"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
109 #109 #
110 #·Example·Call(s):110 #·Example·Call(s):
111 #111 #
112 #·····service_command·enable·bluetooth112 #·····service_command·enable·bluetooth
113 #·····service_command·disable·bluetooth.service113 #·····service_command·disable·bluetooth.service
114 #114 #
115 #·····Using·xinetd:115 #·····Using·xinetd:
Offset 177, 15 lines modifiedOffset 177, 15 lines modified
177 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd177 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
178 ··fi178 ··fi
179 fi179 fi
  
180 }180 }
  
181 service_command·enable·ntpd181 service_command·enable·ntpd
182 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd182 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29882">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29882"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd
183 ··service:183 ··service:
184 ····name="{{item}}"184 ····name="{{item}}"
185 ····enabled="yes"185 ····enabled="yes"
186 ····state="started"186 ····state="started"
187 ··with_items:187 ··with_items:
188 ····-·ntpd188 ····-·ntpd
189 ··tags:189 ··tags:
Offset 194, 26 lines modifiedOffset 194, 26 lines modified
194 ····-·enable_strategy194 ····-·enable_strategy
195 ····-·low_complexity195 ····-·low_complexity
196 ····-·low_disruption196 ····-·low_disruption
197 ····-·CCE-27093-4197 ····-·CCE-27093-4
198 ····-·NIST-800-53-AU-8(1)198 ····-·NIST-800-53-AU-8(1)
199 ····-·PCI-DSS-Req-10.4199 ····-·PCI-DSS-Req-10.4
200 ····-·DISA-STIG-RHEL-06-000247200 ····-·DISA-STIG-RHEL-06-000247
201 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29941"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers201 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29887"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers
202 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization202 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization
203 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the203 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the
204 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for204 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for
205 <em>ntpserver</em>:205 <em>ntpserver</em>:
206 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of206 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of
207 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes207 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes
208 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for208 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for
209 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 209 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
210 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 210 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
211 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 211 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26958-9">CCE-26958-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
212 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29954"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server212 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29900"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server
213 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit213 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit
214 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,214 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,
215 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:215 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:
216 <pre>server·<i>ntpserver</i></pre>216 <pre>server·<i>ntpserver</i></pre>
217 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time217 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time
218 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible218 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible
219 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with219 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with
Offset 229, 15 lines modifiedOffset 229, 15 lines modified
229 detailed·documentation·is·available·from·its·website,229 detailed·documentation·is·available·from·its·website,
230 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and230 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and
231 provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary231 provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary
232 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then232 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
233 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration233 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
234 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be234 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
235 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more235 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
236 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31458"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval236 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm32018"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
237 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout237 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout
238 interval.238 interval.
239 After·this·interval·has·passed,·the·idle·user·will·be239 After·this·interval·has·passed,·the·idle·user·will·be
240 automatically·logged·out.240 automatically·logged·out.
241 <br><br>241 <br><br>
242 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as242 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
243 follows:243 follows:
Offset 249, 23 lines modifiedOffset 249, 23 lines modified
249 shell,·that·value·will·preempt·any·SSH249 shell,·that·value·will·preempt·any·SSH
250 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH250 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
251 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out251 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out
252 guards·against·compromises·one·system·leading·trivially252 guards·against·compromises·one·system·leading·trivially
253 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 253 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
254 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 254 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
255 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26919-1">CCE-26919-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 255 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26919-1">CCE-26919-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
256 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000230</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm31481">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31481"><pre><code>256 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000230</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm32041">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm32041"><pre><code>
257 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"257 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"
  
258 grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&amp;&amp;·\258 grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&amp;&amp;·\
259 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config259 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config
260 if·!·[·$?·-eq·0·];·then260 if·!·[·$?·-eq·0·];·then
261 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·&gt;&gt;·/etc/ssh/sshd_config261 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·&gt;&gt;·/etc/ssh/sshd_config
262 fi262 fi
263 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm31483">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31483"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable263 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm32043">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm32043"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable
264 ··set_fact:264 ··set_fact:
265 ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>265 ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>
266 ··tags:266 ··tags:
267 ····-·always267 ····-·always
Max diff block lines reached; 841276/865965 bytes (97.15%) of diff not shown.
653 KB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-rht-ccp.html
    
Offset 48, 23 lines modifiedOffset 48, 136 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It57 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which58 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
59 ones·can·be·safely·disabled.59 ones·can·be·safely·disabled.
60 <br><br>60 <br><br>
61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional61 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up62 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
63 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services63 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons
 64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to
 65 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost
 66 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or
 67 may·not·be·required·on·a·given·system.·Both·daemons·should·be
 68 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm30147"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd)
 69 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to
 70 schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed
 71 execution·in·a·manner·similar·to·cron,·except·that·it·is·not
 72 recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via
 73 <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time.
  
 74 ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command:
 75 ········<pre>$·sudo·chkconfig·atd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry
 76 out·activities·outside·of·a·normal·login·session,·which·could·complicate
 77 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or
 78 <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 79 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 80 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27249-2">CCE-27249-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 81 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000262</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50442r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm30167">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30167"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 82 #
 83 #·Example·Call(s):
 84 #
 85 #·····service_command·enable·bluetooth
 86 #·····service_command·disable·bluetooth.service
 87 #
 88 #·····Using·xinetd:
 89 #·····service_command·disable·rsh.socket·xinetd=rsh
 90 #
 91 function·service_command·{
  
 92 #·Load·function·arguments·into·local·variables
 93 local·service_state=$1
 94 local·service=$2
 95 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 96 #·Check·sanity·of·the·input
 97 if·[·$#·-lt·"2"·]
 98 then
 99 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 100 ··echo
 101 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 102 ··echo·"as·the·last·argument"··
 103 ··echo·"Aborting."
 104 ··exit·1
 105 fi
  
 106 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 107 if·[·-f·"/usr/bin/systemctl"·]·;·then
 108 ··service_util="/usr/bin/systemctl"
 109 else
 110 ··service_util="/sbin/service"
 111 ··chkconfig_util="/sbin/chkconfig"
 112 fi
  
 113 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 114 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 115 if·[·"$service_state"·!=·'disable'·]·;·then
 116 ··service_state="enable"
 117 ··service_operation="start"
 118 ··chkconfig_state="on"
 119 else
 120 ··service_state="disable"
 121 ··service_operation="stop"
 122 ··chkconfig_state="off"
 123 fi
  
 124 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 125 if·[·"x$chkconfig_util"·!=·x·]·;·then
 126 ··$service_util·$service·$service_operation
 127 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 128 else
 129 ··$service_util·$service_operation·$service
 130 ··$service_util·$service_state·$service
 131 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 132 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 133 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 134 ··$service_util·reset-failed·$service
 135 fi
  
 136 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 137 #·If·empty,·then·xinetd·is·not·being·used.
 138 if·[·"x$xinetd"·!=·x·]·;·then
 139 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&amp;&amp;·\
  
 140 ··if·[·"$service_operation"·=·'disable'·]·;·then
 141 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 142 ··else
 143 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 144 ··fi
 145 fi
  
 146 }
  
 147 service_command·disable·atd
 148 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm30169">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30169"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd
 149 ··service:
 150 ····name="{{item}}"
 151 ····enabled="no"
 152 ····state="stopped"
 153 ··register:·service_result
 154 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 155 ··with_items:
 156 ····-·atd
 157 ··tags:
 158 ····-·service_atd_disabled
 159 ····-·unknown_severity
 160 ····-·disable_strategy
 161 ····-·low_complexity
 162 ····-·low_disruption
 163 ····-·CCE-27249-2
 164 ····-·NIST-800-53-CM-7
Max diff block lines reached; 653371/668176 bytes (97.78%) of diff not shown.
1.47 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-server.html
    
Offset 49, 15 lines modifiedOffset 49, 15 lines modified
49 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in49 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
50 this·guide·without·first·testing·them·in·a·non-operational·environment.·The50 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
51 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by51 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
52 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its52 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
53 quality,·reliability,·or·any·other·characteristic.53 quality,·reliability,·or·any·other·characteristic.
54 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>54 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
55 ····························(as·of·2018-07-26)55 ····························(as·of·2018-07-26)
56 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·hr[·...·truncated·by·diffoscope;·len:·550,·SHA:·748c39ab5de3bdcff786e6f881c51adf65720558ef8b4fcaee9c7b52390b8bab·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services56 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·550,·SHA:·57496307fa97d1728004b56852784b91d9d3fe09769ff2b07f1473882fcbec47·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
58 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It58 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
60 ones·can·be·safely·disabled.60 ones·can·be·safely·disabled.
61 <br><br>61 <br><br>
62 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional62 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
63 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up63 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 75, 40 lines modifiedOffset 75, 40 lines modified
75 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in75 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in
76 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a76 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a
77 <code>[global]</code>·configuration·section·and·a·series·of·user77 <code>[global]</code>·configuration·section·and·a·series·of·user
78 created·share·definition·sections·meant·to·describe·file·or·print78 created·share·definition·sections·meant·to·describe·file·or·print
79 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode79 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode
80 and·allow·client·systems·to·access·local·home·directories·and80 and·allow·client·systems·to·access·local·home·directories·and
81 printers.·It·is·recommended·that·these·settings·be·changed·or·that81 printers.·It·is·recommended·that·these·settings·be·changed·or·that
82 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient82 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29711"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient
83 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use83 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use
84 packet·signing,·add·the·following·to·the·<code>[global]</code>·section84 packet·signing,·add·the·following·to·the·<code>[global]</code>·section
85 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:85 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:
86 <pre>client·signing·=·mandatory</pre>86 <pre>client·signing·=·mandatory</pre>
87 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet87 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet
88 signing·ensures·they·can88 signing·ensures·they·can
89 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent89 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent
90 man-in-the-middle·attacks·which·modify·SMB·packets·in90 man-in-the-middle·attacks·which·modify·SMB·packets·in
91 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 91 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
92 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 92 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
93 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 93 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
94 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29067">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29067"><pre><code>######################################################################94 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29724">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29724"><pre><code>######################################################################
95 #By·Luke·"Brisk-OH"·Brisk95 #By·Luke·"Brisk-OH"·Brisk
96 #luke.brisk@boeing.com·or·luke.brisk@gmail.com96 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
97 ######################################################################97 ######################################################################
  
98 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)98 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
99 if·[·"$CLIENTSIGNING"·-eq·0·];··then99 if·[·"$CLIENTSIGNING"·-eq·0·];··then
100 »       #·Add·to·global·section100 »       #·Add·to·global·section
101 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf101 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
102 else102 else
103 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf103 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
104 fi104 fi
105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29068">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29068"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists105 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29725">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29725"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists
106 ··stat:106 ··stat:
107 ····path:·/etc/samba/smb.conf107 ····path:·/etc/samba/smb.conf
108 ··register:·st_smb108 ··register:·st_smb
109 ··tags:109 ··tags:
110 ····-·require_smb_client_signing110 ····-·require_smb_client_signing
111 ····-·unknown_severity111 ····-·unknown_severity
112 ····-·configure_strategy112 ····-·configure_strategy
Offset 128, 87 lines modifiedOffset 128, 27 lines modified
128 ····-·require_smb_client_signing128 ····-·require_smb_client_signing
129 ····-·unknown_severity129 ····-·unknown_severity
130 ····-·configure_strategy130 ····-·configure_strategy
131 ····-·low_complexity131 ····-·low_complexity
132 ····-·medium_disruption132 ····-·medium_disruption
133 ····-·CCE-26328-5133 ····-·CCE-26328-5
134 ····-·DISA-STIG-RHEL-06-000272134 ····-·DISA-STIG-RHEL-06-000272
135 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29073"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs135 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29730"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs
136 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba136 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba
137 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares137 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares
138 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either138 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either
139 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.139 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.
140 <br><br>140 <br><br>
141 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba141 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba
142 client·should·only·communicate·with·servers·who·can·support·SMB142 client·should·only·communicate·with·servers·who·can·support·SMB
143 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle143 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle
144 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 144 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
145 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 145 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
146 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 146 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
147 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software147 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol
148 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. 
149 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious 
150 targets·of·network·attack. 
151 Ensure·that·systems·are·not·running·MTAs·unnecessarily, 
152 and·configure·needed·MTAs·as·defensively·as·possible. 
153 <br><br> 
154 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the 
155 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email 
156 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. 
157 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, 
158 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. 
159 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
160 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
161 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
162 <br><br> 
163 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software 
164 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. 
165 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by 
166 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. 
167 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients 
168 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only 
169 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29530"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening 
170 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following 
171 <code>inet_interfaces</code>·line·appears: 
172 <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages 
173 (such·as·cron·job·reports)·from·the·local·system·only, 
174 and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
175 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
176 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26780-7">CCE-26780-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
177 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000249</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP 
178 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows 
179 systems·to·request·and·obtain·an·IP·address·and·other·configuration 
180 parameters·from·a·server. 
181 <br><br> 
182 This·guide·recommends·configuring·networking·on·clients·by·manually·editing 
183 the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· 
184 systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· 
185 unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· 
186 that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client 
187 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system 
188 installer,·and·common·on·many·networks.·Nevertheless,·manual·management 
189 of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and 
190 accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29771"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client 
191 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit 
192 <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the 
193 following·changes: 
194 <ul><li>·Correct·the·BOOTPROTO·line·to·read: 
195 <pre>BOOTPROTO=none</pre> 
196 </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate 
197 values·based·on·your·site's·addressing·scheme: 
Max diff block lines reached; 1515729/1543957 bytes (98.17%) of diff not shown.
1.44 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-standard.html
    
Offset 50, 15 lines modifiedOffset 50, 15 lines modified
50 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in50 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
51 this·guide·without·first·testing·them·in·a·non-operational·environment.·The51 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
52 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by52 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
53 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its53 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
54 quality,·reliability,·or·any·other·characteristic.54 quality,·reliability,·or·any·other·characteristic.
55 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>55 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
56 ····························(as·of·2018-07-26)56 ····························(as·of·2018-07-26)
57 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configurati[·...·truncated·by·diffoscope;·len:·399,·SHA:·1813fbd08a6360a58cd44dfebbfd1c4e92674f9a178928b14bc1a2a28d09f72e·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services57 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li>[·...·truncated·by·diffoscope;·len:·399,·SHA:·fbfb410e2703115c5bde514edad124bef19a840feb775eacf478f7e80a5206c7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
58 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review58 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
59 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It59 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
60 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which60 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
61 ones·can·be·safely·disabled.61 ones·can·be·safely·disabled.
62 <br><br>62 <br><br>
63 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional63 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
64 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up64 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 76, 40 lines modifiedOffset 76, 40 lines modified
76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in
77 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a77 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a
78 <code>[global]</code>·configuration·section·and·a·series·of·user78 <code>[global]</code>·configuration·section·and·a·series·of·user
79 created·share·definition·sections·meant·to·describe·file·or·print79 created·share·definition·sections·meant·to·describe·file·or·print
80 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode80 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode
81 and·allow·client·systems·to·access·local·home·directories·and81 and·allow·client·systems·to·access·local·home·directories·and
82 printers.·It·is·recommended·that·these·settings·be·changed·or·that82 printers.·It·is·recommended·that·these·settings·be·changed·or·that
83 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient83 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29711"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient
84 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use84 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use
85 packet·signing,·add·the·following·to·the·<code>[global]</code>·section85 packet·signing,·add·the·following·to·the·<code>[global]</code>·section
86 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:86 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:
87 <pre>client·signing·=·mandatory</pre>87 <pre>client·signing·=·mandatory</pre>
88 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet88 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet
89 signing·ensures·they·can89 signing·ensures·they·can
90 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent90 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent
91 man-in-the-middle·attacks·which·modify·SMB·packets·in91 man-in-the-middle·attacks·which·modify·SMB·packets·in
92 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 92 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
94 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 94 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
95 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29067">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29067"><pre><code>######################################################################95 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29724">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29724"><pre><code>######################################################################
96 #By·Luke·"Brisk-OH"·Brisk96 #By·Luke·"Brisk-OH"·Brisk
97 #luke.brisk@boeing.com·or·luke.brisk@gmail.com97 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
98 ######################################################################98 ######################################################################
  
99 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)99 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
100 if·[·"$CLIENTSIGNING"·-eq·0·];··then100 if·[·"$CLIENTSIGNING"·-eq·0·];··then
101 »       #·Add·to·global·section101 »       #·Add·to·global·section
102 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf102 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
103 else103 else
104 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf104 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
105 fi105 fi
106 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29068">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29068"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists106 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29725">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29725"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists
107 ··stat:107 ··stat:
108 ····path:·/etc/samba/smb.conf108 ····path:·/etc/samba/smb.conf
109 ··register:·st_smb109 ··register:·st_smb
110 ··tags:110 ··tags:
111 ····-·require_smb_client_signing111 ····-·require_smb_client_signing
112 ····-·unknown_severity112 ····-·unknown_severity
113 ····-·configure_strategy113 ····-·configure_strategy
Offset 129, 57 lines modifiedOffset 129, 27 lines modified
129 ····-·require_smb_client_signing129 ····-·require_smb_client_signing
130 ····-·unknown_severity130 ····-·unknown_severity
131 ····-·configure_strategy131 ····-·configure_strategy
132 ····-·low_complexity132 ····-·low_complexity
133 ····-·medium_disruption133 ····-·medium_disruption
134 ····-·CCE-26328-5134 ····-·CCE-26328-5
135 ····-·DISA-STIG-RHEL-06-000272135 ····-·DISA-STIG-RHEL-06-000272
136 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29073"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs136 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29730"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs
137 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba137 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba
138 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares138 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares
139 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either139 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either
140 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.140 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.
141 <br><br>141 <br><br>
142 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba142 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba
143 client·should·only·communicate·with·servers·who·can·support·SMB143 client·should·only·communicate·with·servers·who·can·support·SMB
144 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle144 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle
145 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 145 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
146 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 146 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
147 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 147 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
148 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software148 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol
149 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. 
150 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious 
151 targets·of·network·attack. 
152 Ensure·that·systems·are·not·running·MTAs·unnecessarily, 
153 and·configure·needed·MTAs·as·defensively·as·possible. 
154 <br><br> 
155 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the 
156 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email 
157 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. 
158 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, 
159 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. 
160 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
161 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
162 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
163 <br><br> 
164 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software 
165 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. 
166 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by 
167 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. 
168 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients 
169 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only 
170 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29530"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening 
171 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following 
172 <code>inet_interfaces</code>·line·appears: 
173 <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages 
174 (such·as·cron·job·reports)·from·the·local·system·only, 
175 and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
176 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
177 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26780-7">CCE-26780-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
178 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000249</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol 
179 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system149 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system
180 clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so150 clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so
181 time·will·drift·unpredictably·on·unmanaged·systems.·Central·time151 time·will·drift·unpredictably·on·unmanaged·systems.·Central·time
182 protocols·can·be·used·both·to·ensure·that·time·is·consistent·among152 protocols·can·be·used·both·to·ensure·that·time·is·consistent·among
183 a·network·of·systems,·and·that·their·time·is·consistent·with·the153 a·network·of·systems,·and·that·their·time·is·consistent·with·the
184 outside·world.154 outside·world.
185 <br><br>155 <br><br>
Offset 198, 15 lines modifiedOffset 168, 15 lines modified
198 <br><br>168 <br><br>
199 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP169 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP
200 servers,·and·the·remainder·obtaining·time·information·from·those170 servers,·and·the·remainder·obtaining·time·information·from·those
201 internal·servers.171 internal·servers.
202 <br><br>172 <br><br>
203 More·information·on·how·to·configure·the·NTP·server·software,173 More·information·on·how·to·configure·the·NTP·server·software,
204 including·configuration·of·cryptographic·authentication·for174 including·configuration·of·cryptographic·authentication·for
205 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29915"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon175 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon
206 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>176 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
207 ··········177 ··········
208 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:178 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
209 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>179 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>
Max diff block lines reached; 1486134/1511605 bytes (98.31%) of diff not shown.
1.94 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-stig-rhel6-disa.html
    
Offset 55, 23 lines modifiedOffset 55, 52 lines modified
55 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in55 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
56 this·guide·without·first·testing·them·in·a·non-operational·environment.·The56 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
57 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by57 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
58 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its58 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
59 quality,·reliability,·or·any·other·characteristic.59 quality,·reliability,·or·any·other·characteristic.
60 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>60 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
61 ····························(as·of·2018-07-26)61 ····························(as·of·2018-07-26)
62 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·910,·SHA:·9e31603d0e18b438741d26a5b46e138f2525272b0385c20d476cc1c15adf8af1·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services62 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xc[·...·truncated·by·diffoscope;·len:·910,·SHA:·dfe52403ca27039c6fd60778f9cb46d9343b9cfec43f048aeacec9a362dd7410·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
63 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review63 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
64 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It64 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
65 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which65 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
66 ones·can·be·safely·disabled.66 ones·can·be·safely·disabled.
67 <br><br>67 <br><br>
68 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional68 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
69 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up69 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
70 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server70 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
 71 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
 72 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
 73 that·passwords·and·other·data·transmitted·during·the·session·can·be
 74 captured·and·that·the·session·is·vulnerable·to·hijacking.
 75 Therefore,·running·the·FTP·server·software·is·not·recommended.
 76 <br><br>
 77 However,·there·are·some·FTP·server·configurations·which·may
 78 be·appropriate·for·some·environments,·particularly·those·which
 79 allow·only·read-only·anonymous·access·as·a·means·of·downloading
 80 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
 81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
 82 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
 83 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29019"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions
 84 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
 85 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
 86 <pre>xferlog_enable=YES
 87 xferlog_std_format=NO
 88 log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to
 89 the·FTP·server·are·logged·using·the·verbose·vsftpd·log
 90 format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 91 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 92 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27142-9">CCE-27142-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 93 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000339</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29043"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users
 94 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 95 by·default.·Add·or·correct·the·following·configuration·options:
 96 <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 97 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27145-2">CCE-27145-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 99 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000348</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server
71 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows100 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows
72 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft101 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft
73 Windows·systems.·There·are·two·software·packages·that·provide102 Windows·systems.·There·are·two·software·packages·that·provide
74 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of103 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of
75 command·line·tools·that·enable·a·client·system·to·access·Samba104 command·line·tools·that·enable·a·client·system·to·access·Samba
76 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba105 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba
77 service.·It·is·this·second·package·that·allows·a·Linux·system·to106 service.·It·is·this·second·package·that·allows·a·Linux·system·to
Offset 81, 40 lines modifiedOffset 110, 40 lines modified
81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in110 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in
82 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a111 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a
83 <code>[global]</code>·configuration·section·and·a·series·of·user112 <code>[global]</code>·configuration·section·and·a·series·of·user
84 created·share·definition·sections·meant·to·describe·file·or·print113 created·share·definition·sections·meant·to·describe·file·or·print
85 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode114 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode
86 and·allow·client·systems·to·access·local·home·directories·and115 and·allow·client·systems·to·access·local·home·directories·and
87 printers.·It·is·recommended·that·these·settings·be·changed·or·that116 printers.·It·is·recommended·that·these·settings·be·changed·or·that
88 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient117 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29711"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient
89 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use118 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use
90 packet·signing,·add·the·following·to·the·<code>[global]</code>·section119 packet·signing,·add·the·following·to·the·<code>[global]</code>·section
91 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:120 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:
92 <pre>client·signing·=·mandatory</pre>121 <pre>client·signing·=·mandatory</pre>
93 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet122 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet
94 signing·ensures·they·can123 signing·ensures·they·can
95 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent124 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent
96 man-in-the-middle·attacks·which·modify·SMB·packets·in125 man-in-the-middle·attacks·which·modify·SMB·packets·in
97 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 126 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
98 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 127 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
99 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 128 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
100 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29067">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29067"><pre><code>######################################################################129 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29724">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29724"><pre><code>######################################################################
101 #By·Luke·"Brisk-OH"·Brisk130 #By·Luke·"Brisk-OH"·Brisk
102 #luke.brisk@boeing.com·or·luke.brisk@gmail.com131 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
103 ######################################################################132 ######################################################################
  
104 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)133 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
105 if·[·"$CLIENTSIGNING"·-eq·0·];··then134 if·[·"$CLIENTSIGNING"·-eq·0·];··then
106 »       #·Add·to·global·section135 »       #·Add·to·global·section
107 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf136 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
108 else137 else
109 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf138 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
110 fi139 fi
111 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29068">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29068"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists140 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29725">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29725"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists
112 ··stat:141 ··stat:
113 ····path:·/etc/samba/smb.conf142 ····path:·/etc/samba/smb.conf
114 ··register:·st_smb143 ··register:·st_smb
115 ··tags:144 ··tags:
116 ····-·require_smb_client_signing145 ····-·require_smb_client_signing
117 ····-·unknown_severity146 ····-·unknown_severity
118 ····-·configure_strategy147 ····-·configure_strategy
Offset 134, 75 lines modifiedOffset 163, 195 lines modified
134 ····-·require_smb_client_signing163 ····-·require_smb_client_signing
135 ····-·unknown_severity164 ····-·unknown_severity
136 ····-·configure_strategy165 ····-·configure_strategy
137 ····-·low_complexity166 ····-·low_complexity
138 ····-·medium_disruption167 ····-·medium_disruption
139 ····-·CCE-26328-5168 ····-·CCE-26328-5
140 ····-·DISA-STIG-RHEL-06-000272169 ····-·DISA-STIG-RHEL-06-000272
141 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29073"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs170 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29730"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs
142 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba171 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba
143 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares172 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares
144 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either173 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either
145 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.174 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.
146 <br><br>175 <br><br>
147 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba176 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba
148 client·should·only·communicate·with·servers·who·can·support·SMB177 client·should·only·communicate·with·servers·who·can·support·SMB
149 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle178 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle
150 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 179 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
151 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 180 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
152 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 181 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26792-2">CCE-26792-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
153 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software182 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000273</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol
154 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network.183 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system
155 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious184 clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so
156 targets·of·network·attack.185 time·will·drift·unpredictably·on·unmanaged·systems.·Central·time
157 Ensure·that·systems·are·not·running·MTAs·unnecessarily,186 protocols·can·be·used·both·to·ensure·that·time·is·consistent·among
158 and·configure·needed·MTAs·as·defensively·as·possible.187 a·network·of·systems,·and·that·their·time·is·consistent·with·the
 188 outside·world.
159 <br><br>189 <br><br>
160 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the190 If·every·system·on·a·network·reliably·reports·the·same·time,·then·it·is·much
161 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email191 easier·to·correlate·log·messages·in·case·of·an·attack.·In·addition,·a·number·of
162 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3.192 cryptographic·protocols·(such·as·Kerberos)·use·timestamps·to·prevent·certain
163 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email,193 types·of·attacks.·If·your·network·does·not·have·synchronized·time,·these
164 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator.194 protocols·may·be·unreliable·or·even·unusable.
165 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
Max diff block lines reached; 2008145/2036763 bytes (98.59%) of diff not shown.
1.84 MB
./usr/share/doc/ssg-nondebian/ssg-rhel6-guide-usgcb-rhel6-server.html
    
Offset 49, 46 lines modifiedOffset 49, 46 lines modified
49 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in49 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
50 this·guide·without·first·testing·them·in·a·non-operational·environment.·The50 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
51 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by51 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
52 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its52 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
53 quality,·reliability,·or·any·other·characteristic.53 quality,·reliability,·or·any·other·characteristic.
54 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>54 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
55 ····························(as·of·2018-07-26)55 ····························(as·of·2018-07-26)
56 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·1135,·SHA:·fa1f688fecfd327721db14768693baf620a8eed48e56a9c84b2b1d81c622771a·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services56 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1135,·SHA:·21de240d343fbd223cf68c70c59d884c3ee65c2748e12911430648c71044dd8d·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
58 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It58 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
60 ones·can·be·safely·disabled.60 ones·can·be·safely·disabled.
61 <br><br>61 <br><br>
62 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional62 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
63 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up63 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
66 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft66 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
67 Windows·systems.·There·are·two·software·packages·that·provide67 that·passwords·and·other·data·transmitted·during·the·session·can·be
68 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of68 captured·and·that·the·session·is·vulnerable·to·hijacking.
69 command·line·tools·that·enable·a·client·system·to·access·Samba69 Therefore,·running·the·FTP·server·software·is·not·recommended.
70 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba70 <br><br>
71 service.·It·is·this·second·package·that·allows·a·Linux·system·to71 However,·there·are·some·FTP·server·configurations·which·may
72 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a72 be·appropriate·for·some·environments,·particularly·those·which
73 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by73 allow·only·read-only·anonymous·access·as·a·means·of·downloading
74 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible74 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
75 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it75 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
76 will·remain·disabled.·Do·not·enable·this·service·unless·it·is76 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
77 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print77 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
78 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm28973"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba 
79 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> 
80 ············78 ············
81 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:79 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
82 ········<pre>$·sudo·chkconfig·smb·off</pre>80 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
83 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·a·Samba·server·provides·a·network-based·avenue·of·attack,·and81 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
84 should·be·disabled·if·not·needed.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 82 of·attack,·and·should·be·disabled·if·not·needed.
 83 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 84 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
85 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 85 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
86 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27143-7">CCE-27143-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 86 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26948-0">CCE-26948-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
87 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm28981">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28981"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.87 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29088">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29088"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
88 #88 #
89 #·Example·Call(s):89 #·Example·Call(s):
90 #90 #
91 #·····service_command·enable·bluetooth91 #·····service_command·enable·bluetooth
92 #·····service_command·disable·bluetooth.service92 #·····service_command·disable·bluetooth.service
93 #93 #
94 #·····Using·xinetd:94 #·····Using·xinetd:
Offset 155, 127 lines modifiedOffset 155, 125 lines modified
155 ··else155 ··else
156 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd156 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
157 ··fi157 ··fi
158 fi158 fi
  
159 }159 }
  
160 service_command·disable·smb160 service_command·disable·vsftpd
161 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm28983">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm28983"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·smb161 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd
162 ··service:162 ··service:
163 ····name="{{item}}"163 ····name="{{item}}"
164 ····enabled="no"164 ····enabled="no"
165 ····state="stopped"165 ····state="stopped"
166 ··register:·service_result166 ··register:·service_result
167 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"167 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
168 ··with_items:168 ··with_items:
169 ····-·smb169 ····-·vsftpd
170 ··tags:170 ··tags:
171 ····-·service_smb_disabled171 ····-·service_vsftpd_disabled
172 ····-·unknown_severity172 ····-·unknown_severity
173 ····-·disable_strategy173 ····-·disable_strategy
174 ····-·low_complexity174 ····-·low_complexity
175 ····-·low_disruption175 ····-·low_disruption
176 ····-·CCE-27143-7176 ····-·CCE-26948-0
177 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary177 ····-·NIST-800-53-CM-7
178 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in178 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29095"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
179 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a179 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
180 <code>[global]</code>·configuration·section·and·a·series·of·user180 ············
181 created·share·definition·sections·meant·to·describe·file·or·print181 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
182 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode182 ········<pre>$·sudo·yum·erase·vsftpd</pre>
183 and·allow·client·systems·to·access·local·home·directories·and183 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
184 printers.·It·is·recommended·that·these·settings·be·changed·or·that184 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
185 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29054"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient 
186 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
187 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
188 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
189 <pre>client·signing·=·mandatory</pre> 
190 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
191 signing·ensures·they·can 
192 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
193 man-in-the-middle·attacks·which·modify·SMB·packets·in 
194 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
195 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 185 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
196 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26328-5">CCE-26328-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 186 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-26687-4">CCE-26687-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
197 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-06-000272</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29067">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29067"><pre><code>######################################################################187 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29104">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29104"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
198 #By·Luke·"Brisk-OH"·Brisk188 #
199 #luke.brisk@boeing.com·or·luke.brisk@gmail.com189 #·Example·Call(s):
200 ######################################################################190 #
 191 #·····package_remove·telnet-server
 192 #
 193 function·package_remove·{
  
201 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)194 #·Load·function·arguments·into·local·variables
 195 local·package="$1"
  
202 if·[·"$CLIENTSIGNING"·-eq·0·];··then196 #·Check·sanity·of·the·input
203 »       #·Add·to·global·section197 if·[·$#·-ne·"1"·]
204 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf198 then
 199 ··echo·"Usage:·package_remove·'package_name'"
 200 ··echo·"Aborting."
 201 ··exit·1
 202 fi
  
 203 if·which·dnf·;·then
 204 ··if·rpm·-q·--quiet·"$package";·then
 205 ····dnf·remove·-y·"$package"
 206 ··fi
 207 elif·which·yum·;·then
 208 ··if·rpm·-q·--quiet·"$package";·then
 209 ····yum·remove·-y·"$package"
 210 ··fi
 211 elif·which·apt-get·;·then
 212 ··apt-get·remove·-y·"$package"
205 else213 else
206 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf214 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 215 ··echo·"Aborting."
 216 ··exit·1
207 fi217 fi
Max diff block lines reached; 1906514/1933470 bytes (98.61%) of diff not shown.
298 KB
./usr/share/doc/ssg-nondebian/ssg-rhel7-PCIDSS-RHEL-7-guide-pci-dss_centric.html
    
Offset 1345, 37 lines modifiedOffset 1345, 30 lines modified
1345 ····-·medium_disruption1345 ····-·medium_disruption
1346 ····-·CCE-80111-81346 ····-·CCE-80111-8
1347 ····-·NIST-800-53-AC-11(a)1347 ····-·NIST-800-53-AC-11(a)
1348 ····-·NIST-800-171-3.1.101348 ····-·NIST-800-171-3.1.10
1349 ····-·PCI-DSS-Req-8.1.81349 ····-·PCI-DSS-Req-8.1.8
1350 ····-·CJIS-5.5.51350 ····-·CJIS-5.5.5
1351 ····-·DISA-STIG-RHEL-07-0101001351 ····-·DISA-STIG-RHEL-07-010100
1352 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay"·id="guide-tree-leaf-idm95690"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.1.8"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay">Set·GNOME3·Screensaver·Inactivity·Timeout1352 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank"·id="guide-tree-leaf-idm95666"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.1.8"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank">Implement·Blank·Screensaver
1353 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·idle·time-out·value·for·inactivity·in·the·GNOME3·desktop·is·configured·via·the·<code>idle-delay</code>1353 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·screensaver·mode·in·the·GNOME3·desktop·to·a·blank·screen,
1354 setting·must·be·set·under·an·appropriate·configuration·file(s)·in·the·<code>/etc/dconf/db/local.d</code>·directory1354 add·or·set·<code>picture-uri</code>·to·<code>string·''</code>·in
1355 and·locked·in·<code>/etc/dconf/db/local.d/locks</code>·directory·to·prevent·user·modification.1355 <code>/etc/dconf/db/local.d/00-security-settings</code>.·For·example:
1356 <br><br>1356 <pre>[org/gnome/desktop/screensaver]
1357 For·example,·to·configure·the·system·for·a·15·minute·delay,·add·the·following·to1357 picture-uri=string·''
1358 <code>/etc/dconf/db/local.d/00-security-settings</code>:1358 </pre>
1359 <pre>[org/gnome/desktop/session]1359 Once·the·settings·have·been·added,·add·a·lock·to
1360 idle-delay='uint32·900'</pre> 
1361 Once·the·setting·has·been·added,·add·a·lock·to 
1362 <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification.1360 <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification.
1363 For·example:1361 For·example:
1364 <pre>/org/gnome/desktop/session/idle-delay</pre>1362 <pre>/org/gnome/desktop/screensaver/picture-uri</pre>
1365 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p>A·session·time-out·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from1363 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p>Setting·the·screensaver·mode·to·blank-only·conceals·the
1366 the·immediate·physical·vicinity·of·the·information·system·but·does·not·logout·because·of·the1364 contents·of·the·display·from·passersby.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
1367 temporary·nature·of·the·absence.·Rather·than·relying·on·the·user·to·manually·lock·their·operating1365 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
1368 system·session·prior·to·vacating·the·vicinity,·GNOME3·can·be·configured·to·identify·when1366 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80113-4">CCE-80113-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span
1369 a·user's·session·has·idled·and·take·action·to·initiate·a·session·lock.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 1367 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000060</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm95684">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95684"><pre><code>function·include_dconf_settings·{
1370 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span>  
1371 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80110-0">CCE-80110-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
1372 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86517r4_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm95714">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95714"><pre><code> 
1373 inactivity_timeout_value="<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_inactivity_timeout_value">(N/A)</abbr>" 
1374 function·include_dconf_settings·{ 
1375 »       :1368 »       :
1376 }1369 }
  
1377 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.1370 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
1378 #1371 #
1379 #·Example·Call(s):1372 #·Example·Call(s):
1380 #1373 #
Offset 1442, 76 lines modifiedOffset 1435, 75 lines modified
1442 »       »       echo·"/${_key}/${_setting}"·&gt;&gt;·"/etc/dconf/db/${_db}/locks/${_lockFile}"1435 »       »       echo·"/${_key}/${_setting}"·&gt;&gt;·"/etc/dconf/db/${_db}/locks/${_lockFile}"
1443 »       fi1436 »       fi
1444 }1437 }
  
  
1445 include_dconf_settings1438 include_dconf_settings
  
1446 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'1439 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'
1447 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'1440 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'
1448 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm95717">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95717"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr></table><pre><code>-·name:·XCCDF·Value·inactivity_timeout_value·#·promote·to·variable1441 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm95686">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95686"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr></table><pre><code>-·name:·"Implement·Blank·Screensaver"
1449 ··set_fact: 
1450 ····inactivity_timeout_value:·<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_inactivity_timeout_value">(N/A)</abbr> 
1451 ··tags: 
1452 ····-·always 
  
1453 -·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" 
1454 ··ini_file:1442 ··ini_file:
1455 ····dest:·"/etc/dconf/db/local.d/00-security-settings"1443 ····dest:·"/etc/dconf/db/local.d/00-security-settings"
1456 ····section:·"org/gnome/desktop/screensaver"1444 ····section:·"org/gnome/desktop/screensaver"
1457 ····option:·idle-delay1445 ····option:·picture-uri
1458 ····value:·"{{·inactivity_timeout_value·}}"1446 ····value:·string·''
1459 ····create:·yes1447 ····create:·yes
1460 ··tags:1448 ··tags:
1461 ····-·dconf_gnome_screensaver_idle_delay1449 ····-·dconf_gnome_screensaver_mode_blank
1462 ····-·medium_severity1450 ····-·unknown_severity
1463 ····-·unknown_strategy1451 ····-·unknown_strategy
1464 ····-·low_complexity1452 ····-·low_complexity
1465 ····-·medium_disruption1453 ····-·medium_disruption
1466 ····-·CCE-80110-01454 ····-·CCE-80113-4
1467 ····-·NIST-800-53-AC-11(a)1455 ····-·NIST-800-53-AC-11(b)
1468 ····-·NIST-800-171-3.1.101456 ····-·NIST-800-171-3.1.10
1469 ····-·PCI-DSS-Req-8.1.81457 ····-·PCI-DSS-Req-8.1.8
1470 ····-·CJIS-5.5.51458 ····-·CJIS-5.5.5
1471 ····-·DISA-STIG-RHEL-07-010070 
  
1472 -·name:·"Prevent·user·modification·of·GNOME·idle-delay"1459 -·name:·"Prevent·user·modification·of·GNOME·picture-uri"
1473 ··lineinfile:1460 ··lineinfile:
1474 ····path:·/etc/dconf/db/local.d/locks/00-security-settings-lock1461 ····path:·/etc/dconf/db/local.d/locks/00-security-settings-lock
1475 ····regexp:·'^/org/gnome/desktop/screensaver/idle-delay'1462 ····regexp:·'^/org/gnome/desktop/screensaver/picture-uri'
1476 ····line:·'/org/gnome/desktop/screensaver/idle-delay'1463 ····line:·'/org/gnome/desktop/screensaver/picture-uri'
1477 ····create:·yes1464 ····create:·yes
1478 ··tags:1465 ··tags:
1479 ····-·dconf_gnome_screensaver_idle_delay1466 ····-·dconf_gnome_screensaver_mode_blank
1480 ····-·medium_severity1467 ····-·unknown_severity
1481 ····-·unknown_strategy1468 ····-·unknown_strategy
1482 ····-·low_complexity1469 ····-·low_complexity
1483 ····-·medium_disruption1470 ····-·medium_disruption
1484 ····-·CCE-80110-01471 ····-·CCE-80113-4
1485 ····-·NIST-800-53-AC-11(a)1472 ····-·NIST-800-53-AC-11(b)
1486 ····-·NIST-800-171-3.1.101473 ····-·NIST-800-171-3.1.10
1487 ····-·PCI-DSS-Req-8.1.81474 ····-·PCI-DSS-Req-8.1.8
1488 ····-·CJIS-5.5.51475 ····-·CJIS-5.5.5
1489 ····-·DISA-STIG-RHEL-07-0100701476 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay"·id="guide-tree-leaf-idm95691"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.1.8"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay">Set·GNOME3·Screensaver·Inactivity·Timeout
1490 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank"·id="guide-tree-leaf-idm95748"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_pcidss-req-8.1.8"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank">Implement·Blank·Screensaver1477 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·idle·time-out·value·for·inactivity·in·the·GNOME3·desktop·is·configured·via·the·<code>idle-delay</code>
1491 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·set·the·screensaver·mode·in·the·GNOME3·desktop·to·a·blank·screen,1478 setting·must·be·set·under·an·appropriate·configuration·file(s)·in·the·<code>/etc/dconf/db/local.d</code>·directory
1492 add·or·set·<code>picture-uri</code>·to·<code>string·''</code>·in1479 and·locked·in·<code>/etc/dconf/db/local.d/locks</code>·directory·to·prevent·user·modification.
1493 <code>/etc/dconf/db/local.d/00-security-settings</code>.·For·example:1480 <br><br>
1494 <pre>[org/gnome/desktop/screensaver]1481 For·example,·to·configure·the·system·for·a·15·minute·delay,·add·the·following·to
1495 picture-uri=string·''1482 <code>/etc/dconf/db/local.d/00-security-settings</code>:
1496 </pre>1483 <pre>[org/gnome/desktop/session]
1497 Once·the·settings·have·been·added,·add·a·lock·to1484 idle-delay='uint32·900'</pre>
 1485 Once·the·setting·has·been·added,·add·a·lock·to
1498 <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification.1486 <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification.
1499 For·example:1487 For·example:
1500 <pre>/org/gnome/desktop/screensaver/picture-uri</pre>1488 <pre>/org/gnome/desktop/session/idle-delay</pre>
1501 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p>Setting·the·screensaver·mode·to·blank-only·conceals·the1489 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</p><span·class="label·label-primary">Rationale:</span><p>A·session·time-out·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from
1502 contents·of·the·display·from·passersby.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 1490 the·immediate·physical·vicinity·of·the·information·system·but·does·not·logout·because·of·the
1503 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 1491 temporary·nature·of·the·absence.·Rather·than·relying·on·the·user·to·manually·lock·their·operating
1504 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80113-4">CCE-80113-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span1492 system·session·prior·to·vacating·the·vicinity,·GNOME3·can·be·configured·to·identify·when
1505 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000060</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm95766">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95766"><pre><code>function·include_dconf_settings·{1493 a·user's·session·has·idled·and·take·action·to·initiate·a·session·lock.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 1494 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 1495 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80110-0">CCE-80110-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 1496 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010070</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86517r4_rule</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.5</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000057</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000029-GPOS-00010</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm95715">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm95715"><pre><code>
 1497 inactivity_timeout_value="<abbr·title="Substitution·failed:·xccdf_org.ssgproject.content_value_inactivity_timeout_value">(N/A)</abbr>"
 1498 function·include_dconf_settings·{
1506 »       :1499 »       :
1507 }1500 }
  
1508 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.1501 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
1509 #1502 #
1510 #·Example·Call(s):1503 #·Example·Call(s):
1511 #1504 #
Offset 1578, 52 lines modifiedOffset 1570, 60 lines modified
1578 »       »       echo·"/${_key}/${_setting}"·&gt;&gt;·"/etc/dconf/db/${_db}/locks/${_lockFile}"1570 »       »       echo·"/${_key}/${_setting}"·&gt;&gt;·"/etc/dconf/db/${_db}/locks/${_lockFile}"
1579 »       fi1571 »       fi
1580 }1572 }
  
  
1581 include_dconf_settings1573 include_dconf_settings
Max diff block lines reached; 287856/305326 bytes (94.28%) of diff not shown.
1.07 MB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-C2S.html
    
Offset 58, 15 lines modifiedOffset 58, 15 lines modified
58 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in58 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
59 this·guide·without·first·testing·them·in·a·non-operational·environment.·The59 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
60 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by60 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
61 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its61 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
62 quality,·reliability,·or·any·other·characteristic.62 quality,·reliability,·or·any·other·characteristic.
63 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>63 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
64 ····························(as·of·2018-07-26)64 ····························(as·of·2018-07-26)
65 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.c[·...·truncated·by·diffoscope;·len:·39,·SHA:·9fa1eff42ec8317736e4e9e4a39edaacb764d06e868832c02f95c6f4d064aaef·...·]</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"><small>contains·213·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services65 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·39,·SHA:·71531d2cb5e45bf87276058ffe0a5eac9722a5944d366562dfd03b1cc8832d7f·...·]</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"><small>contains·213·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
66 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review66 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
67 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It67 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It
68 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which68 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which
69 ones·can·be·safely·disabled.69 ones·can·be·safely·disabled.
70 <br><br>70 <br><br>
71 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional71 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
72 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up72 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 84, 25 lines modifiedOffset 84, 25 lines modified
84 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict84 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
85 the·service·as·much·as·possible,·for·instance·by·configuring·host85 the·service·as·much·as·possible,·for·instance·by·configuring·host
86 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the86 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
87 vulnerable·service·to·only·those·remote·hosts·which·have·a·known87 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
88 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec88 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
90 allow·cleartext·remote·access·and·have·an·insecure·trust90 allow·cleartext·remote·access·and·have·an·insecure·trust
91 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package91 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35969"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
93 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have93 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
94 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,94 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
95 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from95 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
96 inadvertently·attempting·to·use·these·commands·and·therefore·exposing96 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
97 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes97 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
98 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 98 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
99 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 99 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
100 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 100 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
101 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36018">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36018"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.101 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm35993">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35993"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
102 #102 #
103 #·Example·Call(s):103 #·Example·Call(s):
104 #104 #
105 #·····package_remove·telnet-server105 #·····package_remove·telnet-server
106 #106 #
107 function·package_remove·{107 function·package_remove·{
  
Offset 132, 63 lines modifiedOffset 132, 63 lines modified
132 ··echo·"Aborting."132 ··echo·"Aborting."
133 ··exit·1133 ··exit·1
134 fi134 fi
  
135 }135 }
  
136 package_remove·rsh136 package_remove·rsh
137 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed137 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
138 ··package:138 ··package:
139 ····name="{{item}}"139 ····name="{{item}}"
140 ····state=absent140 ····state=absent
141 ··with_items:141 ··with_items:
142 ····-·rsh142 ····-·rsh
143 ··tags:143 ··tags:
144 ····-·package_rsh_removed144 ····-·package_rsh_removed
145 ····-·unknown_severity145 ····-·unknown_severity
146 ····-·disable_strategy146 ····-·disable_strategy
147 ····-·low_complexity147 ····-·low_complexity
148 ····-·low_disruption148 ····-·low_disruption
149 ····-·CCE-27274-0149 ····-·CCE-27274-0
150 ····-·NIST-800-171-3.1.13150 ····-·NIST-800-171-3.1.13
151 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh151 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35996">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35996"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
152 class·remove_rsh·{152 class·remove_rsh·{
153 ··package·{·'rsh':153 ··package·{·'rsh':
154 ····ensure·=&gt;·'purged',154 ····ensure·=&gt;·'purged',
155 ··}155 ··}
156 }156 }
157 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36022">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36022"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>157 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35997">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35997"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
158 package·--remove=rsh158 package·--remove=rsh
159 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service159 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
160 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with160 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
161 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately161 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
162 as·a·systemd·socket,·should·be·disabled.162 as·a·systemd·socket,·should·be·disabled.
163 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.163 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
164 If·using·systemd,·164 If·using·systemd,·
165 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:165 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
166 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which166 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
167 means·that·data·from·the·login·session,·including·passwords·and167 means·that·data·from·the·login·session,·including·passwords·and
168 all·other·information·transmitted·during·the·session,·can·be168 all·other·information·transmitted·during·the·session,·can·be
169 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 169 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
170 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 170 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
171 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 171 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
172 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36052">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36052"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\172 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36027">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36027"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
173 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin173 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
174 #174 #
175 #·Disable·rlogin.socket·for·all·systemd·targets175 #·Disable·rlogin.socket·for·all·systemd·targets
176 #176 #
177 systemctl·disable·rlogin.socket177 systemctl·disable·rlogin.socket
  
178 #178 #
179 #·Stop·rlogin.socket·if·currently·running179 #·Stop·rlogin.socket·if·currently·running
180 #180 #
181 systemctl·stop·rlogin.socket181 systemctl·stop·rlogin.socket
182 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36053">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36053"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin182 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36028">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36028"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
183 ··service:183 ··service:
184 ····name="{{item}}"184 ····name="{{item}}"
185 ····enabled="no"185 ····enabled="no"
186 ····state="stopped"186 ····state="stopped"
187 ··register:·service_result187 ··register:·service_result
188 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"188 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
189 ··with_items:189 ··with_items:
Offset 201, 40 lines modifiedOffset 201, 40 lines modified
201 ····-·low_disruption201 ····-·low_disruption
202 ····-·CCE-27336-7202 ····-·CCE-27336-7
203 ····-·NIST-800-53-AC-17(8)203 ····-·NIST-800-53-AC-17(8)
204 ····-·NIST-800-53-CM-7204 ····-·NIST-800-53-CM-7
205 ····-·NIST-800-53-IA-5(1)(c)205 ····-·NIST-800-53-IA-5(1)(c)
206 ····-·NIST-800-171-3.1.13206 ····-·NIST-800-171-3.1.13
207 ····-·NIST-800-171-3.4.7207 ····-·NIST-800-171-3.4.7
208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36058"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36033"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
210 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately210 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
211 as·a·systemd·socket,·should·be·disabled.211 as·a·systemd·socket,·should·be·disabled.
212 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·212 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
213 If·using·systemd,·213 If·using·systemd,·
214 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:214 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
215 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which215 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
216 means·that·data·from·the·login·session,·including·passwords·and216 means·that·data·from·the·login·session,·including·passwords·and
217 all·other·information·transmitted·during·the·session,·can·be217 all·other·information·transmitted·during·the·session,·can·be
218 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 218 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
219 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 219 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
220 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 220 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
221 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36083">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36083"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\221 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36058">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36058"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
Max diff block lines reached; 1085672/1119403 bytes (96.99%) of diff not shown.
511 KB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-cjis.html
    
Offset 74, 27 lines modifiedOffset 74, 27 lines modified
74 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·74 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·
75 is·called·<code>sshd</code>·and·provided·by·the·RPM·package75 is·called·<code>sshd</code>·and·provided·by·the·RPM·package
76 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary76 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary
77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
78 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration78 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
79 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be79 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
80 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more80 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
81 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39925"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords81 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39943"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords
82 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with82 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with
83 empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>:83 empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>:
84 <br>84 <br>
85 <pre>PermitEmptyPasswords·no</pre>85 <pre>PermitEmptyPasswords·no</pre>
86 <br>86 <br>
87 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration87 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration
88 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that88 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that
89 remote·login·via·SSH·will·require·a·password,·even·in·the·event·of·89 remote·login·via·SSH·will·require·a·password,·even·in·the·event·of·
90 misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 90 misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
91 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 91 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
92 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27471-2">CCE-27471-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 92 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27471-2">CCE-27471-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
93 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010300</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39952">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39952"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if93 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-010300</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39970">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39970"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
94 #·it·does·not·exist.94 #·it·does·not·exist.
95 #95 #
96 #·Expects·arguments:96 #·Expects·arguments:
97 #97 #
98 #·config_file:»  »  Configuration·file·that·will·be·modified98 #·config_file:»  »  Configuration·file·that·will·be·modified
99 #·key:»  »  »  Configuration·option·to·change99 #·key:»  »  »  Configuration·option·to·change
100 #·value:»»Value·of·the·configuration·option·to·change100 #·value:»»Value·of·the·configuration·option·to·change
Offset 165, 15 lines modifiedOffset 165, 15 lines modified
165 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline165 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
166 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"166 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"
167 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"167 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"
168 ··fi168 ··fi
169 }169 }
  
170 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'170 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'
171 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39954">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39954"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Disable·SSH·Access·via·Empty·Passwords171 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39972">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39972"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Disable·SSH·Access·via·Empty·Passwords
172 ··lineinfile:172 ··lineinfile:
173 ····create:·yes173 ····create:·yes
174 ····dest:·/etc/ssh/sshd_config174 ····dest:·/etc/ssh/sshd_config
175 ····regexp:·^PermitEmptyPasswords175 ····regexp:·^PermitEmptyPasswords
176 ····line:·PermitEmptyPasswords·no176 ····line:·PermitEmptyPasswords·no
177 ····validate:·sshd·-t·-f·%s177 ····validate:·sshd·-t·-f·%s
178 ··tags:178 ··tags:
Offset 186, 22 lines modifiedOffset 186, 22 lines modified
186 ····-·NIST-800-53-AC-3186 ····-·NIST-800-53-AC-3
187 ····-·NIST-800-53-AC-6187 ····-·NIST-800-53-AC-6
188 ····-·NIST-800-53-CM-6(b)188 ····-·NIST-800-53-CM-6(b)
189 ····-·NIST-800-171-3.1.1189 ····-·NIST-800-171-3.1.1
190 ····-·NIST-800-171-3.1.5190 ····-·NIST-800-171-3.1.5
191 ····-·CJIS-5.5.6191 ····-·CJIS-5.5.6
192 ····-·DISA-STIG-RHEL-07-010300192 ····-·DISA-STIG-RHEL-07-010300
193 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm39960"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count193 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm39978"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,194 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
195 edit·<code>/etc/ssh/sshd_config</code>·as·follows:195 edit·<code>/etc/ssh/sshd_config</code>·as·follows:
196 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>196 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
197 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 197 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
198 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 198 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
199 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27082-7">CCE-27082-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 199 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27082-7">CCE-27082-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
200 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040340</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39987">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39987"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if200 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040340</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm40005">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40005"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
201 #·it·does·not·exist.201 #·it·does·not·exist.
202 #202 #
203 #·Expects·arguments:203 #·Expects·arguments:
204 #204 #
205 #·config_file:»  »  Configuration·file·that·will·be·modified205 #·config_file:»  »  Configuration·file·that·will·be·modified
206 #·key:»  »  »  Configuration·option·to·change206 #·key:»  »  »  Configuration·option·to·change
207 #·value:»»Value·of·the·configuration·option·to·change207 #·value:»»Value·of·the·configuration·option·to·change
Offset 272, 15 lines modifiedOffset 272, 15 lines modified
272 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline272 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
273 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"273 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"
274 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"274 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"
275 ··fi275 ··fi
276 }276 }
  
277 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'277 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
278 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39989">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39989"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·SSH·Client·Alive·Count278 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm40007">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40007"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·SSH·Client·Alive·Count
279 ··lineinfile:279 ··lineinfile:
280 ····create:·yes280 ····create:·yes
281 ····dest:·/etc/ssh/sshd_config281 ····dest:·/etc/ssh/sshd_config
282 ····regexp:·^ClientAliveCountMax282 ····regexp:·^ClientAliveCountMax
283 ····line:·ClientAliveCountMax·0283 ····line:·ClientAliveCountMax·0
284 ····validate:·sshd·-t·-f·%s284 ····validate:·sshd·-t·-f·%s
285 ··#notify:·restart·sshd285 ··#notify:·restart·sshd
Offset 293, 26 lines modifiedOffset 293, 36 lines modified
293 ····-·CCE-27082-7293 ····-·CCE-27082-7
294 ····-·NIST-800-53-AC-2(5)294 ····-·NIST-800-53-AC-2(5)
295 ····-·NIST-800-53-SA-8295 ····-·NIST-800-53-SA-8
296 ····-·NIST-800-53-AC-12296 ····-·NIST-800-53-AC-12
297 ····-·NIST-800-171-3.1.11297 ····-·NIST-800-171-3.1.11
298 ····-·CJIS-5.5.6298 ····-·CJIS-5.5.6
299 ····-·DISA-STIG-RHEL-07-040340299 ····-·DISA-STIG-RHEL-07-040340
300 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner"·id="guide-tree-leaf-idm40036"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner">Enable·SSH·Warning·Banner300 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm40013"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
301 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·enable·the·warning·banner·and·ensure·it·is·consistent301 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout
302 across·the·system,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>:302 interval.
303 <pre>Banner·/etc/issue</pre>303 After·this·interval·has·passed,·the·idle·user·will·be
304 Another·section·contains·information·on·how·to·create·an304 automatically·logged·out.
305 appropriate·system-wide·warning·banner.</p><span·class="label·label-primary">Rationale:</span><p>The·warning·message·reinforces·policy·awareness·during·the·logon·process·and305 <br><br>
306 facilitates·possible·legal·action·against·attackers.·Alternatively,·systems306 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
307 whose·ownership·should·not·be·obvious·should·ensure·usage·of·a·banner·that·does307 follows:
308 not·provide·easy·attribution.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 308 <pre>ClientAliveInterval·<b>interval</b></pre>
309 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 309 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout
310 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27314-4">CCE-27314-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 310 of·10·minutes,·set·<b>interval</b>·to·600.
311 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040170</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86849r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.16</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000050</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001384</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001385</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001386</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001387</a>,·<a·[·...·truncated·by·diffoscope;·len:·1912,·SHA:·920bc07202ec530fc8c24843f3d4f9ab6c24041a1a72269536fc19bac680f8d3·...·]311 <br><br>
 312 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·
 313 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
 314 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of
 315 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session
 316 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 317 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
 318 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27433-2">CCE-27433-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 319 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040320</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm40040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40040"><pre><code>
 320 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">1800</abbr>"
 321 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
312 #·it·does·not·exist.322 #·it·does·not·exist.
313 #323 #
314 #·Expects·arguments:324 #·Expects·arguments:
315 #325 #
316 #·config_file:»  »  Configuration·file·that·will·be·modified326 #·config_file:»  »  Configuration·file·that·will·be·modified
317 #·key:»  »  »  Configuration·option·to·change327 #·key:»  »  »  Configuration·option·to·change
318 #·value:»»Value·of·the·configuration·option·to·change328 #·value:»»Value·of·the·configuration·option·to·change
Offset 382, 46 lines modifiedOffset 392, 55 lines modified
382 ··else392 ··else
383 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline393 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
384 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"394 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"
385 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"395 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"
386 ··fi396 ··fi
387 }397 }
  
Max diff block lines reached; 493160/522900 bytes (94.31%) of diff not shown.
115 KB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-default.html
    
Offset 48, 27 lines modifiedOffset 48, 24 lines modified
48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in48 </div><div·class="top-spacer-10"><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The49 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by50 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its51 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
52 quality,·reliability,·or·any·other·characteristic.52 quality,·reliability,·or·any·other·characteristic.
53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>53 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
54 ····························(as·of·2018-07-26)54 ····························(as·of·2018-07-26)
55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_docker">Docker·Service</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1045,·SHA:·427d41e93b9df052bf3dd439ca5d5079efd8e47dbd3fdf0310dd320bc63cc356·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project55 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·1045,·SHA:·34a457b90e6dfc8c26555d3cb2e11b5b3c1823d634243e7c52f3554b7bfc3eae·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services56 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review57 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
58 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It58 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It
59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which59 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which
60 ones·can·be·safely·disabled.60 ones·can·be·safely·disabled.
61 <br><br>61 <br><br>
62 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional62 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
63 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up63 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service64 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are 
66 ··self-sufficient·and·self-contained·applications·using·the·resource 
67 ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services 
68 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible
69 services·which·have·historically·caused·problems·for·system66 services·which·have·historically·caused·problems·for·system
70 security,·and·for·which·disabling·or·severely·limiting·the·service67 security,·and·for·which·disabling·or·severely·limiting·the·service
71 has·been·the·best·available·guidance·for·some·time.·As·a·result·of68 has·been·the·best·available·guidance·for·some·time.·As·a·result·of
72 this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·769 this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7
73 by·default.70 by·default.
74 <br><br>71 <br><br>
Offset 102, 15 lines modifiedOffset 99, 51 lines modified
102 found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd99 found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd
103 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some100 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some
104 network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access101 network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access
105 controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other102 controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other
106 features,·and·it·is·not·installed·by·default.·The·older·Inetd·service103 features,·and·it·is·not·installed·by·default.·The·older·Inetd·service
107 is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services104 is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services
108 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages105 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages
109 across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack106 across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server
 107 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not
 108 installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a>
 109 contains·more·detailed·information·about·Dovecot
 110 configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary
 111 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or
 112 POP3·server,·the·dovecot·software·should·be·configured·securely·by·following
 113 the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support
 114 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the·
 115 Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot·
 116 server·in·order·to·read·their·mail,·and·passwords·should·never·be·
 117 transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is·
 118 downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates·
 119 to·authenticate·the·server,·preventing·another·system·from·impersonating·
 120 the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server
 121 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound
 122 access·to·any·services.·This·modification·will·allow·remote·hosts·to
 123 initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports
 124 on·the·server·in·their·default·protected·state.
  
 125 ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s):
 126 ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and
 127 ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols
 128 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as·
 129 SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server·
 130 to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.·
 131 Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with·
 132 only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,·
 133 <code>pop3</code>,·<code>pop3s</code>)·required:
 134 <pre>protocols·=·PROTOCOL</pre>
 135 If·possible,·require·SSL·protection·for·all·transactions.·The·SSL·
 136 protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for·
 137 pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.·
 138 An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the·
 139 client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot
 140 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or
 141 POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack
110 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server142 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
111 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to143 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
112 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means144 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
113 that·passwords·and·other·data·transmitted·during·the·session·can·be145 that·passwords·and·other·data·transmitted·during·the·session·can·be
114 captured·and·that·the·session·is·vulnerable·to·hijacking.146 captured·and·that·the·session·is·vulnerable·to·hijacking.
115 Therefore,·running·the·FTP·server·software·is·not·recommended.147 Therefore,·running·the·FTP·server·software·is·not·recommended.
116 <br><br>148 <br><br>
Offset 866, 51 lines modifiedOffset 899, 18 lines modified
866 supersede·domain-name-servers·192.168.1.2;899 supersede·domain-name-servers·192.168.1.2;
867 supersede·nis-domain·"";900 supersede·nis-domain·"";
868 supersede·nis-servers·"";901 supersede·nis-servers·"";
869 supersede·ntp-servers·"ntp.example.com·";902 supersede·ntp-servers·"ntp.example.com·";
870 supersede·routers·192.168.1.1;903 supersede·routers·192.168.1.1;
871 supersede·time-offset·-18000;904 supersede·time-offset·-18000;
872 request·subnet-mask;905 request·subnet-mask;
873 require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server906 require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service
874 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not907 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are
875 installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a>908 ··self-sufficient·and·self-contained·applications·using·the·resource
876 contains·more·detailed·information·about·Dovecot909 ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC
877 configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary 
878 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or 
879 POP3·server,·the·dovecot·software·should·be·configured·securely·by·following 
880 the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support 
881 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· 
882 Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· 
883 server·in·order·to·read·their·mail,·and·passwords·should·never·be· 
884 transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· 
885 downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· 
886 to·authenticate·the·server,·preventing·another·system·from·impersonating· 
887 the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server 
888 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound 
889 access·to·any·services.·This·modification·will·allow·remote·hosts·to 
890 initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports 
891 on·the·server·in·their·default·protected·state. 
  
892 ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): 
893 ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and 
894 ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols 
895 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· 
896 SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· 
897 to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· 
898 Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· 
899 only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· 
900 <code>pop3</code>,·<code>pop3s</code>)·required: 
901 <pre>protocols·=·PROTOCOL</pre> 
902 If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· 
903 protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· 
904 pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· 
905 An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· 
906 client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot 
907 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or 
908 POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC 
909 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for910 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for
910 the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the911 the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the
911 circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies,912 circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies,
Max diff block lines reached; 84025/117952 bytes (71.24%) of diff not shown.
908 KB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-hipaa.html
    
Offset 82, 25 lines modifiedOffset 82, 25 lines modified
82 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict82 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
83 the·service·as·much·as·possible,·for·instance·by·configuring·host83 the·service·as·much·as·possible,·for·instance·by·configuring·host
84 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the84 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
85 vulnerable·service·to·only·those·remote·hosts·which·have·a·known85 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
86 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec86 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
88 allow·cleartext·remote·access·and·have·an·insecure·trust88 allow·cleartext·remote·access·and·have·an·insecure·trust
89 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package89 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35969"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
90 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands90 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
91 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have91 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
92 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,92 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
93 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from93 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
94 inadvertently·attempting·to·use·these·commands·and·therefore·exposing94 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
95 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes95 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
96 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 97 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 98 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
99 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36018">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36018"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.99 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm35993">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35993"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
100 #100 #
101 #·Example·Call(s):101 #·Example·Call(s):
102 #102 #
103 #·····package_remove·telnet-server103 #·····package_remove·telnet-server
104 #104 #
105 function·package_remove·{105 function·package_remove·{
  
Offset 130, 63 lines modifiedOffset 130, 63 lines modified
130 ··echo·"Aborting."130 ··echo·"Aborting."
131 ··exit·1131 ··exit·1
132 fi132 fi
  
133 }133 }
  
134 package_remove·rsh134 package_remove·rsh
135 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed135 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
136 ··package:136 ··package:
137 ····name="{{item}}"137 ····name="{{item}}"
138 ····state=absent138 ····state=absent
139 ··with_items:139 ··with_items:
140 ····-·rsh140 ····-·rsh
141 ··tags:141 ··tags:
142 ····-·package_rsh_removed142 ····-·package_rsh_removed
143 ····-·unknown_severity143 ····-·unknown_severity
144 ····-·disable_strategy144 ····-·disable_strategy
145 ····-·low_complexity145 ····-·low_complexity
146 ····-·low_disruption146 ····-·low_disruption
147 ····-·CCE-27274-0147 ····-·CCE-27274-0
148 ····-·NIST-800-171-3.1.13148 ····-·NIST-800-171-3.1.13
149 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh149 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35996">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35996"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
150 class·remove_rsh·{150 class·remove_rsh·{
151 ··package·{·'rsh':151 ··package·{·'rsh':
152 ····ensure·=&gt;·'purged',152 ····ensure·=&gt;·'purged',
153 ··}153 ··}
154 }154 }
155 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36022">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36022"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>155 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35997">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35997"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
156 package·--remove=rsh156 package·--remove=rsh
157 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service157 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
158 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with158 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
159 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately159 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
160 as·a·systemd·socket,·should·be·disabled.160 as·a·systemd·socket,·should·be·disabled.
161 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.161 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
162 If·using·systemd,·162 If·using·systemd,·
163 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:163 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
164 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which164 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
165 means·that·data·from·the·login·session,·including·passwords·and165 means·that·data·from·the·login·session,·including·passwords·and
166 all·other·information·transmitted·during·the·session,·can·be166 all·other·information·transmitted·during·the·session,·can·be
167 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 167 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
168 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 168 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
169 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 169 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
170 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36052">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36052"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\170 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36027">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36027"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
171 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin171 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
172 #172 #
173 #·Disable·rlogin.socket·for·all·systemd·targets173 #·Disable·rlogin.socket·for·all·systemd·targets
174 #174 #
175 systemctl·disable·rlogin.socket175 systemctl·disable·rlogin.socket
  
176 #176 #
177 #·Stop·rlogin.socket·if·currently·running177 #·Stop·rlogin.socket·if·currently·running
178 #178 #
179 systemctl·stop·rlogin.socket179 systemctl·stop·rlogin.socket
180 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36053">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36053"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin180 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36028">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36028"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
181 ··service:181 ··service:
182 ····name="{{item}}"182 ····name="{{item}}"
183 ····enabled="no"183 ····enabled="no"
184 ····state="stopped"184 ····state="stopped"
185 ··register:·service_result185 ··register:·service_result
186 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"186 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
187 ··with_items:187 ··with_items:
Offset 199, 40 lines modifiedOffset 199, 40 lines modified
199 ····-·low_disruption199 ····-·low_disruption
200 ····-·CCE-27336-7200 ····-·CCE-27336-7
201 ····-·NIST-800-53-AC-17(8)201 ····-·NIST-800-53-AC-17(8)
202 ····-·NIST-800-53-CM-7202 ····-·NIST-800-53-CM-7
203 ····-·NIST-800-53-IA-5(1)(c)203 ····-·NIST-800-53-IA-5(1)(c)
204 ····-·NIST-800-171-3.1.13204 ····-·NIST-800-171-3.1.13
205 ····-·NIST-800-171-3.4.7205 ····-·NIST-800-171-3.4.7
206 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36058"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service206 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36033"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
207 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with207 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
208 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately208 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
209 as·a·systemd·socket,·should·be·disabled.209 as·a·systemd·socket,·should·be·disabled.
210 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·210 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
211 If·using·systemd,·211 If·using·systemd,·
212 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:212 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
213 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which213 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
214 means·that·data·from·the·login·session,·including·passwords·and214 means·that·data·from·the·login·session,·including·passwords·and
215 all·other·information·transmitted·during·the·session,·can·be215 all·other·information·transmitted·during·the·session,·can·be
216 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 216 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
217 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 217 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
218 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 218 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
219 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36083">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36083"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\219 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36058">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36058"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
220 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec220 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
221 #221 #
222 #·Disable·rexec.socket·for·all·systemd·targets222 #·Disable·rexec.socket·for·all·systemd·targets
223 #223 #
224 systemctl·disable·rexec.socket224 systemctl·disable·rexec.socket
  
225 #225 #
226 #·Stop·rexec.socket·if·currently·running226 #·Stop·rexec.socket·if·currently·running
227 #227 #
228 systemctl·stop·rexec.socket228 systemctl·stop·rexec.socket
229 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec229 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36059">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36059"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec
230 ··service:230 ··service:
231 ····name="{{item}}"231 ····name="{{item}}"
232 ····enabled="no"232 ····enabled="no"
233 ····state="stopped"233 ····state="stopped"
Max diff block lines reached; 903645/930099 bytes (97.16%) of diff not shown.
1.76 MB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-nist-800-171-cui.html
    
Offset 90, 25 lines modifiedOffset 90, 25 lines modified
90 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict90 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
91 the·service·as·much·as·possible,·for·instance·by·configuring·host91 the·service·as·much·as·possible,·for·instance·by·configuring·host
92 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the92 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
93 vulnerable·service·to·only·those·remote·hosts·which·have·a·known93 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
94 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec94 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
95 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which95 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
96 allow·cleartext·remote·access·and·have·an·insecure·trust96 allow·cleartext·remote·access·and·have·an·insecure·trust
97 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package97 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35969"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
99 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have99 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
100 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,100 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
101 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from101 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
102 inadvertently·attempting·to·use·these·commands·and·therefore·exposing102 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
103 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes103 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
104 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 104 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
105 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 105 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
106 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 106 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
107 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36018">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36018"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.107 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm35993">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35993"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
108 #108 #
109 #·Example·Call(s):109 #·Example·Call(s):
110 #110 #
111 #·····package_remove·telnet-server111 #·····package_remove·telnet-server
112 #112 #
113 function·package_remove·{113 function·package_remove·{
  
Offset 138, 63 lines modifiedOffset 138, 63 lines modified
138 ··echo·"Aborting."138 ··echo·"Aborting."
139 ··exit·1139 ··exit·1
140 fi140 fi
  
141 }141 }
  
142 package_remove·rsh142 package_remove·rsh
143 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed143 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
144 ··package:144 ··package:
145 ····name="{{item}}"145 ····name="{{item}}"
146 ····state=absent146 ····state=absent
147 ··with_items:147 ··with_items:
148 ····-·rsh148 ····-·rsh
149 ··tags:149 ··tags:
150 ····-·package_rsh_removed150 ····-·package_rsh_removed
151 ····-·unknown_severity151 ····-·unknown_severity
152 ····-·disable_strategy152 ····-·disable_strategy
153 ····-·low_complexity153 ····-·low_complexity
154 ····-·low_disruption154 ····-·low_disruption
155 ····-·CCE-27274-0155 ····-·CCE-27274-0
156 ····-·NIST-800-171-3.1.13156 ····-·NIST-800-171-3.1.13
157 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh157 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35996">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35996"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
158 class·remove_rsh·{158 class·remove_rsh·{
159 ··package·{·'rsh':159 ··package·{·'rsh':
160 ····ensure·=&gt;·'purged',160 ····ensure·=&gt;·'purged',
161 ··}161 ··}
162 }162 }
163 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36022">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36022"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>163 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35997">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35997"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
164 package·--remove=rsh164 package·--remove=rsh
165 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service165 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
166 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with166 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
167 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately167 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
168 as·a·systemd·socket,·should·be·disabled.168 as·a·systemd·socket,·should·be·disabled.
169 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.169 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
170 If·using·systemd,·170 If·using·systemd,·
171 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:171 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
172 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which172 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
173 means·that·data·from·the·login·session,·including·passwords·and173 means·that·data·from·the·login·session,·including·passwords·and
174 all·other·information·transmitted·during·the·session,·can·be174 all·other·information·transmitted·during·the·session,·can·be
175 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 175 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
176 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 176 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
177 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 177 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
178 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36052">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36052"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\178 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36027">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36027"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
179 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin179 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
180 #180 #
181 #·Disable·rlogin.socket·for·all·systemd·targets181 #·Disable·rlogin.socket·for·all·systemd·targets
182 #182 #
183 systemctl·disable·rlogin.socket183 systemctl·disable·rlogin.socket
  
184 #184 #
185 #·Stop·rlogin.socket·if·currently·running185 #·Stop·rlogin.socket·if·currently·running
186 #186 #
187 systemctl·stop·rlogin.socket187 systemctl·stop·rlogin.socket
188 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36053">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36053"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin188 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36028">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36028"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
189 ··service:189 ··service:
190 ····name="{{item}}"190 ····name="{{item}}"
191 ····enabled="no"191 ····enabled="no"
192 ····state="stopped"192 ····state="stopped"
193 ··register:·service_result193 ··register:·service_result
194 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"194 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
195 ··with_items:195 ··with_items:
Offset 207, 40 lines modifiedOffset 207, 40 lines modified
207 ····-·low_disruption207 ····-·low_disruption
208 ····-·CCE-27336-7208 ····-·CCE-27336-7
209 ····-·NIST-800-53-AC-17(8)209 ····-·NIST-800-53-AC-17(8)
210 ····-·NIST-800-53-CM-7210 ····-·NIST-800-53-CM-7
211 ····-·NIST-800-53-IA-5(1)(c)211 ····-·NIST-800-53-IA-5(1)(c)
212 ····-·NIST-800-171-3.1.13212 ····-·NIST-800-171-3.1.13
213 ····-·NIST-800-171-3.4.7213 ····-·NIST-800-171-3.4.7
214 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36058"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service214 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36033"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
215 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with215 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
216 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately216 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
217 as·a·systemd·socket,·should·be·disabled.217 as·a·systemd·socket,·should·be·disabled.
218 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·218 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
219 If·using·systemd,·219 If·using·systemd,·
220 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:220 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
221 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which221 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
222 means·that·data·from·the·login·session,·including·passwords·and222 means·that·data·from·the·login·session,·including·passwords·and
223 all·other·information·transmitted·during·the·session,·can·be223 all·other·information·transmitted·during·the·session,·can·be
224 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 224 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
225 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 225 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
226 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 226 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
227 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36083">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36083"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\227 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36058">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36058"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
228 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec228 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
229 #229 #
230 #·Disable·rexec.socket·for·all·systemd·targets230 #·Disable·rexec.socket·for·all·systemd·targets
231 #231 #
232 systemctl·disable·rexec.socket232 systemctl·disable·rexec.socket
  
233 #233 #
234 #·Stop·rexec.socket·if·currently·running234 #·Stop·rexec.socket·if·currently·running
235 #235 #
236 systemctl·stop·rexec.socket236 systemctl·stop·rexec.socket
237 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec237 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36059">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36059"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec
238 ··service:238 ··service:
239 ····name="{{item}}"239 ····name="{{item}}"
240 ····enabled="no"240 ····enabled="no"
241 ····state="stopped"241 ····state="stopped"
Max diff block lines reached; 1817618/1844072 bytes (98.57%) of diff not shown.
1.76 MB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-ospp.html
    
Offset 101, 25 lines modifiedOffset 101, 25 lines modified
101 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict101 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
102 the·service·as·much·as·possible,·for·instance·by·configuring·host102 the·service·as·much·as·possible,·for·instance·by·configuring·host
103 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the103 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
104 vulnerable·service·to·only·those·remote·hosts·which·have·a·known104 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
105 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec105 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
106 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which106 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
107 allow·cleartext·remote·access·and·have·an·insecure·trust107 allow·cleartext·remote·access·and·have·an·insecure·trust
108 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35994"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package108 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35969"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
109 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands109 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
110 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have110 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
111 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,111 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
112 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from112 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
113 inadvertently·attempting·to·use·these·commands·and·therefore·exposing113 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
114 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes114 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
115 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 115 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
116 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 116 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
117 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 117 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27274-0">CCE-27274-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
118 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36018">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36018"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.118 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm35993">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35993"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
119 #119 #
120 #·Example·Call(s):120 #·Example·Call(s):
121 #121 #
122 #·····package_remove·telnet-server122 #·····package_remove·telnet-server
123 #123 #
124 function·package_remove·{124 function·package_remove·{
  
Offset 149, 63 lines modifiedOffset 149, 63 lines modified
149 ··echo·"Aborting."149 ··echo·"Aborting."
150 ··exit·1150 ··exit·1
151 fi151 fi
  
152 }152 }
  
153 package_remove·rsh153 package_remove·rsh
154 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36020">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36020"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed154 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35995">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35995"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
155 ··package:155 ··package:
156 ····name="{{item}}"156 ····name="{{item}}"
157 ····state=absent157 ····state=absent
158 ··with_items:158 ··with_items:
159 ····-·rsh159 ····-·rsh
160 ··tags:160 ··tags:
161 ····-·package_rsh_removed161 ····-·package_rsh_removed
162 ····-·unknown_severity162 ····-·unknown_severity
163 ····-·disable_strategy163 ····-·disable_strategy
164 ····-·low_complexity164 ····-·low_complexity
165 ····-·low_disruption165 ····-·low_disruption
166 ····-·CCE-27274-0166 ····-·CCE-27274-0
167 ····-·NIST-800-171-3.1.13167 ····-·NIST-800-171-3.1.13
168 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh168 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35996">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35996"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
169 class·remove_rsh·{169 class·remove_rsh·{
170 ··package·{·'rsh':170 ··package·{·'rsh':
171 ····ensure·=&gt;·'purged',171 ····ensure·=&gt;·'purged',
172 ··}172 ··}
173 }173 }
174 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36022">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36022"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>174 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm35997">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm35997"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
175 package·--remove=rsh175 package·--remove=rsh
176 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36027"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service176 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
177 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with177 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
178 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately178 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
179 as·a·systemd·socket,·should·be·disabled.179 as·a·systemd·socket,·should·be·disabled.
180 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.180 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
181 If·using·systemd,·181 If·using·systemd,·
182 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:182 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
183 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which183 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
184 means·that·data·from·the·login·session,·including·passwords·and184 means·that·data·from·the·login·session,·including·passwords·and
185 all·other·information·transmitted·during·the·session,·can·be185 all·other·information·transmitted·during·the·session,·can·be
186 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 186 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
187 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 187 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
188 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 188 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27336-7">CCE-27336-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
189 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36052">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36052"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\189 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36027">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36027"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
190 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin190 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
191 #191 #
192 #·Disable·rlogin.socket·for·all·systemd·targets192 #·Disable·rlogin.socket·for·all·systemd·targets
193 #193 #
194 systemctl·disable·rlogin.socket194 systemctl·disable·rlogin.socket
  
195 #195 #
196 #·Stop·rlogin.socket·if·currently·running196 #·Stop·rlogin.socket·if·currently·running
197 #197 #
198 systemctl·stop·rlogin.socket198 systemctl·stop·rlogin.socket
199 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36053">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36053"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin199 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36028">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36028"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
200 ··service:200 ··service:
201 ····name="{{item}}"201 ····name="{{item}}"
202 ····enabled="no"202 ····enabled="no"
203 ····state="stopped"203 ····state="stopped"
204 ··register:·service_result204 ··register:·service_result
205 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"205 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
206 ··with_items:206 ··with_items:
Offset 218, 40 lines modifiedOffset 218, 40 lines modified
218 ····-·low_disruption218 ····-·low_disruption
219 ····-·CCE-27336-7219 ····-·CCE-27336-7
220 ····-·NIST-800-53-AC-17(8)220 ····-·NIST-800-53-AC-17(8)
221 ····-·NIST-800-53-CM-7221 ····-·NIST-800-53-CM-7
222 ····-·NIST-800-53-IA-5(1)(c)222 ····-·NIST-800-53-IA-5(1)(c)
223 ····-·NIST-800-171-3.1.13223 ····-·NIST-800-171-3.1.13
224 ····-·NIST-800-171-3.4.7224 ····-·NIST-800-171-3.4.7
225 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36058"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service225 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36033"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
226 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with226 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
227 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately227 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
228 as·a·systemd·socket,·should·be·disabled.228 as·a·systemd·socket,·should·be·disabled.
229 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·229 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
230 If·using·systemd,·230 If·using·systemd,·
231 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:231 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
232 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which232 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
233 means·that·data·from·the·login·session,·including·passwords·and233 means·that·data·from·the·login·session,·including·passwords·and
234 all·other·information·transmitted·during·the·session,·can·be234 all·other·information·transmitted·during·the·session,·can·be
235 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 235 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
236 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 236 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
237 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 237 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27408-4">CCE-27408-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
238 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36083">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36083"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\238 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36058">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36058"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
239 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec239 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
240 #240 #
241 #·Disable·rexec.socket·for·all·systemd·targets241 #·Disable·rexec.socket·for·all·systemd·targets
242 #242 #
243 systemctl·disable·rexec.socket243 systemctl·disable·rexec.socket
  
244 #244 #
245 #·Stop·rexec.socket·if·currently·running245 #·Stop·rexec.socket·if·currently·running
246 #246 #
247 systemctl·stop·rexec.socket247 systemctl·stop·rexec.socket
248 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec248 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36059">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36059"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec
249 ··service:249 ··service:
250 ····name="{{item}}"250 ····name="{{item}}"
251 ····enabled="no"251 ····enabled="no"
252 ····state="stopped"252 ····state="stopped"
Max diff block lines reached; 1817620/1844076 bytes (98.57%) of diff not shown.
400 KB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-pci-dss.html
    
Offset 108, 15 lines modifiedOffset 108, 15 lines modified
108 <br><br>108 <br><br>
109 Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code>109 Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code>
110 and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to110 and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to
111 choose·between·the·two·NTP·daemons.111 choose·between·the·two·NTP·daemons.
112 <br><br>112 <br><br>
113 The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for113 The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for
114 <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional114 <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional
115 information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38574"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers115 information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38651"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers
116 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete116 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete
117 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be117 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be
118 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the118 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the
119 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to119 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to
120 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>120 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>
121 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for121 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for
122 further·guidance·how·to·choose·between·the·two·NTP·daemons.122 further·guidance·how·to·choose·between·the·two·NTP·daemons.
Offset 130, 15 lines modifiedOffset 130, 15 lines modified
130 hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:130 hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:
131 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of131 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of
132 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes132 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes
133 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for133 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for
134 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 134 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
135 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 135 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
136 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27012-4">CCE-27012-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 136 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27012-4">CCE-27012-4</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
137 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38595">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38595"><pre><code>137 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38672">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38672"><pre><code>
138 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"138 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"
  
139 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.139 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.
140 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries140 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries
141 #·$1:·Path·to·the·config·file141 #·$1:·Path·to·the·config·file
142 #·$2:·Comma-separated·list·of·servers142 #·$2:·Comma-separated·list·of·servers
143 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{143 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{
Offset 157, 15 lines modifiedOffset 157, 15 lines modified
  
157 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file157 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file
  
158 config_file="/etc/ntp.conf"158 config_file="/etc/ntp.conf"
159 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"159 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"
  
160 [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"160 [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"
161 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38600"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server161 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38677"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server
162 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete162 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete
163 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be163 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be
164 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the164 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the
165 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to165 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to
166 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>166 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>
167 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for167 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for
168 further·guidance·how·to·choose·between·the·two·NTP·daemons.168 further·guidance·how·to·choose·between·the·two·NTP·daemons.
Offset 178, 15 lines modifiedOffset 178, 15 lines modified
178 NTP·server·for·<em>ntpserver</em>:178 NTP·server·for·<em>ntpserver</em>:
179 <pre>server·<i>ntpserver</i></pre>179 <pre>server·<i>ntpserver</i></pre>
180 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time180 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time
181 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system181 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system
182 logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 182 logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
183 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 183 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
184 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27278-1">CCE-27278-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 184 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27278-1">CCE-27278-1</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
185 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38625">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38625"><pre><code>185 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38702">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38702"><pre><code>
186 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"186 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"
  
187 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.187 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.
188 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries188 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries
189 #·$1:·Path·to·the·config·file189 #·$1:·Path·to·the·config·file
190 #·$2:·Comma-separated·list·of·servers190 #·$2:·Comma-separated·list·of·servers
191 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{191 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{
Offset 205, 15 lines modifiedOffset 205, 15 lines modified
  
205 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file205 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file
  
206 config_file="/etc/ntp.conf"206 config_file="/etc/ntp.conf"
207 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"207 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"
  
208 grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"208 grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"
209 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38632"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">Enable·the·NTP·Daemon209 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38709"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">Enable·the·NTP·Daemon
210 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>210 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
211 ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command:211 ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command:
212 ········<pre>$·sudo·systemctl·enable·chronyd.service</pre>212 ········<pre>$·sudo·systemctl·enable·chronyd.service</pre>
213 Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default.213 Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default.
214 <br><br>214 <br><br>
  
215 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:215 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
Offset 232, 15 lines modifiedOffset 232, 15 lines modified
232 <br><br>232 <br><br>
233 The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the233 The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the
234 functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional234 functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional
235 information·on·this·is·available·at235 information·on·this·is·available·at
236 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 236 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
237 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 237 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
238 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27444-9">CCE-27444-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 238 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27444-9">CCE-27444-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
239 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38661">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38661"><pre><code>239 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38738">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38738"><pre><code>
  
240 if·!·`rpm·-q·--quiet·chrony`·&amp;&amp;·!·`rpm·-q·--quiet·ntp-`;·then240 if·!·`rpm·-q·--quiet·chrony`·&amp;&amp;·!·`rpm·-q·--quiet·ntp-`;·then
241 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.241 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
242 #242 #
243 #·Example·Call(s):243 #·Example·Call(s):
244 #244 #
245 #·····package_install·aide245 #·····package_install·aide
Offset 445, 15 lines modifiedOffset 445, 15 lines modified
445 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·445 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·
446 is·called·<code>sshd</code>·and·provided·by·the·RPM·package446 is·called·<code>sshd</code>·and·provided·by·the·RPM·package
447 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary447 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary
448 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then448 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
449 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration449 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
450 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be450 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
451 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more451 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
452 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm40246"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval452 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm40013"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
453 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout453 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout
454 interval.454 interval.
455 After·this·interval·has·passed,·the·idle·user·will·be455 After·this·interval·has·passed,·the·idle·user·will·be
456 automatically·logged·out.456 automatically·logged·out.
457 <br><br>457 <br><br>
458 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as458 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
459 follows:459 follows:
Offset 464, 15 lines modifiedOffset 464, 15 lines modified
464 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·464 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·
465 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH465 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
466 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of466 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of
467 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session467 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session
468 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 468 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
469 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 469 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
470 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27433-2">CCE-27433-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 470 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27433-2">CCE-27433-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
471 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040320</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm40273">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40273"><pre><code>471 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040320</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm40040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40040"><pre><code>
472 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"472 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"
473 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if473 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
474 #·it·does·not·exist.474 #·it·does·not·exist.
475 #475 #
476 #·Expects·arguments:476 #·Expects·arguments:
477 #477 #
478 #·config_file:»  »  Configuration·file·that·will·be·modified478 #·config_file:»  »  Configuration·file·that·will·be·modified
Max diff block lines reached; 385778/409115 bytes (94.30%) of diff not shown.
168 KB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-rht-ccp.html
    
Offset 75, 24 lines modifiedOffset 75, 24 lines modified
75 the·service·as·much·as·possible,·for·instance·by·configuring·host75 the·service·as·much·as·possible,·for·instance·by·configuring·host
76 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the76 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
77 vulnerable·service·to·only·those·remote·hosts·which·have·a·known77 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
78 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet78 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet
79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity
80 for·information·transmitted·on·the·network.·This·includes·authentication80 for·information·transmitted·on·the·network.·This·includes·authentication
81 information·such·as·passwords.·Organizations·which·use·telnet·should·be81 information·such·as·passwords.·Organizations·which·use·telnet·should·be
82 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36217"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet_removed">Remove·telnet·Clients82 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36192"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet_removed">Remove·telnet·Clients
83 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other·83 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other·
84 systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use84 systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use
85 of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user85 of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user
86 to·steal·credentials.·The·<code>ssh</code>·package·provides·an86 to·steal·credentials.·The·<code>ssh</code>·package·provides·an
87 encrypted·session·and·stronger·security·and·is·included·in·Red·Hat87 encrypted·session·and·stronger·security·and·is·included·in·Red·Hat
88 Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 88 Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
89 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 89 ························low</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
90 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27305-2">CCE-27305-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 90 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27305-2">CCE-27305-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
91 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36238">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36238"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.91 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36213">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36213"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
92 #92 #
93 #·Example·Call(s):93 #·Example·Call(s):
94 #94 #
95 #·····package_remove·telnet-server95 #·····package_remove·telnet-server
96 #96 #
97 function·package_remove·{97 function·package_remove·{
  
Offset 122, 38 lines modifiedOffset 122, 38 lines modified
122 ··echo·"Aborting."122 ··echo·"Aborting."
123 ··exit·1123 ··exit·1
124 fi124 fi
  
125 }125 }
  
126 package_remove·telnet126 package_remove·telnet
127 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36240">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36240"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnet·is·removed127 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36215">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36215"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnet·is·removed
128 ··package:128 ··package:
129 ····name="{{item}}"129 ····name="{{item}}"
130 ····state=absent130 ····state=absent
131 ··with_items:131 ··with_items:
132 ····-·telnet132 ····-·telnet
133 ··tags:133 ··tags:
134 ····-·package_telnet_removed134 ····-·package_telnet_removed
135 ····-·low_severity135 ····-·low_severity
136 ····-·disable_strategy136 ····-·disable_strategy
137 ····-·low_complexity137 ····-·low_complexity
138 ····-·low_disruption138 ····-·low_disruption
139 ····-·CCE-27305-2139 ····-·CCE-27305-2
140 ····-·NIST-800-171-3.1.13140 ····-·NIST-800-171-3.1.13
141 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36241">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36241"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnet141 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36216">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36216"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnet
  
142 class·remove_telnet·{142 class·remove_telnet·{
143 ··package·{·'telnet':143 ··package·{·'telnet':
144 ····ensure·=&gt;·'purged',144 ····ensure·=&gt;·'purged',
145 ··}145 ··}
146 }146 }
147 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36242">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36242"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>147 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36217">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36217"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
148 package·--remove=telnet148 package·--remove=telnet
149 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm36247"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_telnet_disabled">Disable·telnet·Service149 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm36222"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_telnet_disabled">Disable·telnet·Service
150 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code>150 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code>
151 is·not·created·automatically.·If·it·was·created·manually,·check·the151 is·not·created·automatically.·If·it·was·created·manually,·check·the
152 <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code>152 <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code>
153 is·changed·to·read·<code>disable·=·yes</code>·as·follows·below:153 is·changed·to·read·<code>disable·=·yes</code>·as·follows·below:
154 <pre>154 <pre>
155 #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\155 #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\
156 #·······unencrypted·username/password·pairs·for·authentication.156 #·······unencrypted·username/password·pairs·for·authentication.
Offset 177, 27 lines modifiedOffset 177, 27 lines modified
177 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which177 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which
178 means·that·data·from·the·login·session,·including·passwords·and178 means·that·data·from·the·login·session,·including·passwords·and
179 all·other·information·transmitted·during·the·session,·can·be179 all·other·information·transmitted·during·the·session,·can·be
180 stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also180 stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also
181 subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 181 subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
182 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 182 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
183 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27401-9">CCE-27401-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 183 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27401-9">CCE-27401-9</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
184 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36274">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36274"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/telnet·&amp;&amp;·\184 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36249">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36249"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/telnet·&amp;&amp;·\
185 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet185 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet
  
186 #186 #
187 #·Disable·telnet.socket·for·all·systemd·targets187 #·Disable·telnet.socket·for·all·systemd·targets
188 #188 #
189 systemctl·disable·telnet.socket189 systemctl·disable·telnet.socket
  
190 #190 #
191 #·Stop·telnet.socket·if·currently·running191 #·Stop·telnet.socket·if·currently·running
192 #192 #
193 systemctl·stop·telnet.socket193 systemctl·stop·telnet.socket
194 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36275">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36275"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·telnet194 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36250">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36250"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·telnet
195 ··service:195 ··service:
196 ····name="{{item}}"196 ····name="{{item}}"
197 ····enabled="no"197 ····enabled="no"
198 ····state="stopped"198 ····state="stopped"
199 ··register:·service_result199 ··register:·service_result
200 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"200 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
201 ··with_items:201 ··with_items:
Offset 210, 30 lines modifiedOffset 210, 30 lines modified
210 ····-·low_disruption210 ····-·low_disruption
211 ····-·CCE-27401-9211 ····-·CCE-27401-9
212 ····-·NIST-800-53-AC-17(8)212 ····-·NIST-800-53-AC-17(8)
213 ····-·NIST-800-53-CM-7213 ····-·NIST-800-53-CM-7
214 ····-·NIST-800-53-IA-5(1)(c)214 ····-·NIST-800-53-IA-5(1)(c)
215 ····-·NIST-800-171-3.1.13215 ····-·NIST-800-171-3.1.13
216 ····-·NIST-800-171-3.4.7216 ····-·NIST-800-171-3.4.7
217 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36280"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package217 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36255"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package
218 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with218 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with
219 the·following·command:219 the·following·command:
220 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding220 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding
221 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore221 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore
222 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.222 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.
223 <br>223 <br>
224 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·224 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·
225 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were225 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were
226 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.226 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.
227 <br>227 <br>
228 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·228 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·
229 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 229 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
230 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 230 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
231 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27165-0">CCE-27165-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 231 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27165-0">CCE-27165-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
232 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36309">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36309"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.232 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36284">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36284"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
233 #233 #
234 #·Example·Call(s):234 #·Example·Call(s):
235 #235 #
236 #·····package_remove·telnet-server236 #·····package_remove·telnet-server
237 #237 #
238 function·package_remove·{238 function·package_remove·{
  
Offset 263, 15 lines modifiedOffset 263, 15 lines modified
263 ··echo·"Aborting."263 ··echo·"Aborting."
264 ··exit·1264 ··exit·1
265 fi265 fi
  
Max diff block lines reached; 145186/171623 bytes (84.60%) of diff not shown.
351 KB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-standard.html
    
Offset 63, 29 lines modifiedOffset 63, 29 lines modified
63 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional63 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
64 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up64 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
65 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons65 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons
66 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to66 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to
67 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost67 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost
68 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or68 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or
69 may·not·be·required·on·a·given·system.·Both·daemons·should·be69 may·not·be·required·on·a·given·system.·Both·daemons·should·be
70 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm36944"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd)70 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm37021"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd)
71 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to71 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to
72 schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed72 schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed
73 execution·in·a·manner·similar·to·cron,·except·that·it·is·not73 execution·in·a·manner·similar·to·cron,·except·that·it·is·not
74 recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via74 recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via
75 <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time.75 <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time.
  
76 ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command:76 ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command:
77 ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry77 ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry
78 out·activities·outside·of·a·normal·login·session,·which·could·complicate78 out·activities·outside·of·a·normal·login·session,·which·could·complicate
79 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or79 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or
80 <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 80 <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
81 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 81 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
82 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80345-2">CCE-80345-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 82 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80345-2">CCE-80345-2</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
83 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36961">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36961"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.83 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm37038">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37038"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
84 #84 #
85 #·Example·Call(s):85 #·Example·Call(s):
86 #86 #
87 #·····service_command·enable·bluetooth87 #·····service_command·enable·bluetooth
88 #·····service_command·disable·bluetooth.service88 #·····service_command·disable·bluetooth.service
89 #89 #
90 #·····Using·xinetd:90 #·····Using·xinetd:
Offset 153, 15 lines modifiedOffset 153, 15 lines modified
153 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd153 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
154 ··fi154 ··fi
155 fi155 fi
  
156 }156 }
  
157 service_command·disable·atd157 service_command·disable·atd
158 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36963">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36963"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd158 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm37040">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37040"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd
159 ··service:159 ··service:
160 ····name="{{item}}"160 ····name="{{item}}"
161 ····enabled="no"161 ····enabled="no"
162 ····state="stopped"162 ····state="stopped"
163 ··register:·service_result163 ··register:·service_result
164 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"164 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
165 ··with_items:165 ··with_items:
Offset 176, 28 lines modifiedOffset 176, 28 lines modified
176 ····-·NIST-800-53-CM-7176 ····-·NIST-800-53-CM-7
177 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services177 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services
178 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a178 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a
179 Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other179 Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other
180 sections.·Some·of·these·services·listen·on·the·network·and180 sections.·Some·of·these·services·listen·on·the·network·and
181 should·be·treated·with·particular·discretion.·Other·services·are·local181 should·be·treated·with·particular·discretion.·Other·services·are·local
182 system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services182 system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services
183 should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38748"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled">Disable·Network·Router·Discovery·Daemon·(rdisc)183 should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38825"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled">Disable·Network·Router·Discovery·Daemon·(rdisc)
184 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP184 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP
185 Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on185 Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on
186 the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is186 the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is
187 updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled.187 updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled.
  
188 ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command:188 ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command:
189 ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing189 ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing
190 information·configured·statically·by·a·system·administrator.·Workstations·or190 information·configured·statically·by·a·system·administrator.·Workstations·or
191 some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve191 some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve
192 dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 192 dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
193 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 193 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80268-6">CCE-80268-6</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80268-6">CCE-80268-6</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38760">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38760"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.195 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38837">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38837"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
196 #196 #
197 #·Example·Call(s):197 #·Example·Call(s):
198 #198 #
199 #·····service_command·enable·bluetooth199 #·····service_command·enable·bluetooth
200 #·····service_command·disable·bluetooth.service200 #·····service_command·disable·bluetooth.service
201 #201 #
202 #·····Using·xinetd:202 #·····Using·xinetd:
Offset 265, 15 lines modifiedOffset 265, 15 lines modified
265 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd265 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
266 ··fi266 ··fi
267 fi267 fi
  
268 }268 }
  
269 service_command·disable·rdisc269 service_command·disable·rdisc
270 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38762">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38762"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rdisc270 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38839">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38839"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rdisc
271 ··service:271 ··service:
272 ····name="{{item}}"272 ····name="{{item}}"
273 ····enabled="no"273 ····enabled="no"
274 ····state="stopped"274 ····state="stopped"
275 ··register:·service_result275 ··register:·service_result
276 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"276 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
277 ··with_items:277 ··with_items:
Offset 284, 28 lines modifiedOffset 284, 28 lines modified
284 ····-·disable_strategy284 ····-·disable_strategy
285 ····-·low_complexity285 ····-·low_complexity
286 ····-·low_disruption286 ····-·low_disruption
287 ····-·CCE-80268-6287 ····-·CCE-80268-6
288 ····-·NIST-800-53-AC-17(8)288 ····-·NIST-800-53-AC-17(8)
289 ····-·NIST-800-53-AC-4289 ····-·NIST-800-53-AC-4
290 ····-·NIST-800-53-CM-7290 ····-·NIST-800-53-CM-7
291 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38889"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">Disable·Odd·Job·Daemon·(oddjobd)291 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38966"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">Disable·Odd·Job·Daemon·(oddjobd)
292 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and292 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and
293 access·control·mechanism·through·which293 access·control·mechanism·through·which
294 specified·privileged·tasks·can·run·tasks·for·unprivileged·client294 specified·privileged·tasks·can·run·tasks·for·unprivileged·client
295 applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus.295 applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus.
  
296 ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command:296 ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command:
297 ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in297 ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in
298 some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of298 some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of
299 tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally299 tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally
300 been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 300 been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
301 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 301 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
302 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80263-7">CCE-80263-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 302 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80263-7">CCE-80263-7</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
303 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38901">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38901"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.303 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38978">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38978"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
304 #304 #
305 #·Example·Call(s):305 #·Example·Call(s):
306 #306 #
307 #·····service_command·enable·bluetooth307 #·····service_command·enable·bluetooth
308 #·····service_command·disable·bluetooth.service308 #·····service_command·disable·bluetooth.service
309 #309 #
310 #·····Using·xinetd:310 #·····Using·xinetd:
Offset 373, 15 lines modifiedOffset 373, 15 lines modified
373 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd373 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
374 ··fi374 ··fi
375 fi375 fi
  
376 }376 }
  
377 service_command·disable·oddjobd377 service_command·disable·oddjobd
Max diff block lines reached; 339113/358841 bytes (94.50%) of diff not shown.
1020 KB
./usr/share/doc/ssg-nondebian/ssg-rhel7-guide-stig-rhel7-disa.html
    
Offset 84, 68 lines modifiedOffset 84, 68 lines modified
84 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict84 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
85 the·service·as·much·as·possible,·for·instance·by·configuring·host85 the·service·as·much·as·possible,·for·instance·by·configuring·host
86 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the86 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
87 vulnerable·service·to·only·those·remote·hosts·which·have·a·known87 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
88 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec88 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
90 allow·cleartext·remote·access·and·have·an·insecure·trust90 allow·cleartext·remote·access·and·have·an·insecure·trust
91 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36089"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files91 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36064"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files
92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts
93 and·users·that·are·trusted·by·the·local·system.93 and·users·that·are·trusted·by·the·local·system.
94 To·remove·these·files,·run·the·following·command·to·delete·them·from·any94 To·remove·these·files,·run·the·following·command·to·delete·them·from·any
95 location:95 location:
96 <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the96 <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the
97 system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing97 system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing
98 unauthorized·access·to·the·system,·as·it·does·not·require·interactive98 unauthorized·access·to·the·system,·as·it·does·not·require·interactive
99 identification·and·authentication·of·a·connection·request,·or·for·the·use·of99 identification·and·authentication·of·a·connection·request,·or·for·the·use·of
100 two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 100 two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
101 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 101 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
102 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80513-5">CCE-80513-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 102 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80513-5">CCE-80513-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
103 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040550</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36100">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36100"><pre><code>103 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040550</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36075">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36075"><pre><code>
104 #·Identify·local·mounts104 #·Identify·local·mounts
105 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·105 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·
  
106 #·Find·file·on·each·listed·mount·point106 #·Find·file·on·each·listed·mount·point
107 for·cur_mount·in·${MOUNT_LIST}107 for·cur_mount·in·${MOUNT_LIST}
108 do108 do
109 »       find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\;109 »       find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\;
110 done110 done
111 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36137"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files111 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36112"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files
112 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files112 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files
113 list·remote·hosts·and·users·that·are·trusted·by·the113 list·remote·hosts·and·users·that·are·trusted·by·the
114 local·system.·To·remove·these·files,·run·the·following·command114 local·system.·To·remove·these·files,·run·the·following·command
115 to·delete·them·from·any·location:115 to·delete·them·from·any·location:
116 <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for116 <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for
117 individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not117 individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not
118 sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not118 sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not
119 require·interactive·identification·and·authentication·of·a·connection·request,119 require·interactive·identification·and·authentication·of·a·connection·request,
120 or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 120 or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
121 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 121 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
122 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80514-3">CCE-80514-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 122 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-80514-3">CCE-80514-3</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
123 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040540</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36148">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36148"><pre><code>123 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-040540</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36123"><pre><code>
124 #·Identify·local·mounts124 #·Identify·local·mounts
125 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·125 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·
  
126 #·Find·file·on·each·listed·mount·point126 #·Find·file·on·each·listed·mount·point
127 for·cur_mount·in·${MOUNT_LIST}127 for·cur_mount·in·${MOUNT_LIST}
128 do128 do
129 »       find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\;129 »       find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\;
130 done130 done
131 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36153"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package131 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36128"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package
132 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with132 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with
133 the·following·command:133 the·following·command:
134 <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not134 <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not
135 provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak135 provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak
136 authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password136 authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password
137 could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure137 could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure
138 network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional)138 network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional)
139 activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 139 activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
140 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 140 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
141 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27342-5">CCE-27342-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 141 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27342-5">CCE-27342-5</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
142 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020000</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36180">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36180"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.142 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-020000</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36155">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36155"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
143 #143 #
144 #·Example·Call(s):144 #·Example·Call(s):
145 #145 #
146 #·····package_remove·telnet-server146 #·····package_remove·telnet-server
147 #147 #
148 function·package_remove·{148 function·package_remove·{
  
Offset 175, 15 lines modifiedOffset 175, 15 lines modified
175 ··echo·"Aborting."175 ··echo·"Aborting."
176 ··exit·1176 ··exit·1
177 fi177 fi
  
178 }178 }
  
179 package_remove·rsh-server179 package_remove·rsh-server
180 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36182">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36182"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh-server·is·removed180 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36157">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36157"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh-server·is·removed
181 ··package:181 ··package:
182 ····name="{{item}}"182 ····name="{{item}}"
183 ····state=absent183 ····state=absent
184 ··with_items:184 ··with_items:
185 ····-·rsh-server185 ····-·rsh-server
186 ··tags:186 ··tags:
187 ····-·package_rsh-server_removed187 ····-·package_rsh-server_removed
Offset 191, 43 lines modifiedOffset 191, 43 lines modified
191 ····-·disable_strategy191 ····-·disable_strategy
192 ····-·low_complexity192 ····-·low_complexity
193 ····-·low_disruption193 ····-·low_disruption
194 ····-·CCE-27342-5194 ····-·CCE-27342-5
195 ····-·NIST-800-53-AC-17(8)195 ····-·NIST-800-53-AC-17(8)
196 ····-·NIST-800-53-CM-7(a)196 ····-·NIST-800-53-CM-7(a)
197 ····-·DISA-STIG-RHEL-07-020000197 ····-·DISA-STIG-RHEL-07-020000
198 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh-server198 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36158">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36158"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh-server
  
199 class·remove_rsh-server·{199 class·remove_rsh-server·{
200 ··package·{·'rsh-server':200 ··package·{·'rsh-server':
201 ····ensure·=&gt;·'purged',201 ····ensure·=&gt;·'purged',
202 ··}202 ··}
203 }203 }
204 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36184">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36184"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>204 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36159">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36159"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
205 package·--remove=rsh-server205 package·--remove=rsh-server
206 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet206 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet
207 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity207 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity
208 for·information·transmitted·on·the·network.·This·includes·authentication208 for·information·transmitted·on·the·network.·This·includes·authentication
209 information·such·as·passwords.·Organizations·which·use·telnet·should·be209 information·such·as·passwords.·Organizations·which·use·telnet·should·be
210 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36280"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package210 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36255"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package
211 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with211 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with
212 the·following·command:212 the·following·command:
213 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding213 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding
214 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore214 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore
215 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.215 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.
216 <br>216 <br>
217 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·217 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·
218 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were218 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were
219 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.219 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.
220 <br>220 <br>
221 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·221 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·
222 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 222 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
223 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 223 ························high</p></div><div·class="identifiers"><p><span·class="label·label-info"·title="A·globally·meaningful·identifiers·for·this·rule.·MAY·be·the·name·or·identifier·of·a·security·configuration·issue·or·vulnerability·that·the·rule·remediates.·By·setting·an·identifier·on·a·rule,·the·benchmark·author·effectively·declares·that·the·rule·instantiates,·implements,·or·remediates·the·issue·for·which·the·name·was·assigned.">Identifiers:</span> 
224 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27165-0">CCE-27165-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 224 ············<abbr·title="https://nvd.nist.gov/cce/index.cfm:·CCE-27165-0">CCE-27165-0</abbr></p><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
225 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36309">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36309"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.225 ············<a·href="http://iase.disa.mil/stigs/os/unix-linux/Pages/index.aspx">RHEL-07-021710</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36284">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36284"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
226 #226 #
227 #·Example·Call(s):227 #·Example·Call(s):
228 #228 #
229 #·····package_remove·telnet-server229 #·····package_remove·telnet-server
230 #230 #
231 function·package_remove·{231 function·package_remove·{
Max diff block lines reached; 1012116/1040524 bytes (97.27%) of diff not shown.
1.45 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-C2S.html
    
Offset 65, 45 lines modifiedOffset 65, 43 lines modified
65 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in65 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
66 this·guide·without·first·testing·them·in·a·non-operational·environment.·The66 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
67 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by67 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
68 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its68 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
69 quality,·reliability,·or·any·other·characteristic.69 quality,·reliability,·or·any·other·characteristic.
70 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>70 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
71 ····························(as·of·2018-07-26)71 ····························(as·of·2018-07-26)
72 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a[·...·truncated·by·diffoscope;·len:·1198,·SHA:·51cf316a1f51145ef5b84d4df33141a3708861da5f3329cf77ffa71a74c6142b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services72 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·188·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
74 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It74 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
75 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which75 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
76 ones·can·be·safely·disabled.76 ones·can·be·safely·disabled.
77 <br><br>77 <br><br>
78 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional78 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
79 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up79 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
80 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server80 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·45·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows81 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
82 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft82 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
83 Windows·systems.·There·are·two·software·packages·that·provide83 that·passwords·and·other·data·transmitted·during·the·session·can·be
84 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of84 captured·and·that·the·session·is·vulnerable·to·hijacking.
85 command·line·tools·that·enable·a·client·system·to·access·Samba85 Therefore,·running·the·FTP·server·software·is·not·recommended.
86 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba86 <br><br>
87 service.·It·is·this·second·package·that·allows·a·Linux·system·to87 However,·there·are·some·FTP·server·configurations·which·may
88 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a88 be·appropriate·for·some·environments,·particularly·those·which
89 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by89 allow·only·read-only·anonymous·access·as·a·means·of·downloading
90 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible90 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
91 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it91 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
92 will·remain·disabled.·Do·not·enable·this·service·unless·it·is92 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
93 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print93 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
94 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_samba_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_samba_removed"·id="guide-tree-leaf-idm29016"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_samba_removed">Uninstall·samba·Package 
95 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_samba_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> 
96 ············94 ············
97 ········The·<code>samba</code>·package·can·be·removed·with·the·following·command:95 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
98 ········<pre>$·sudo·yum·erase·samba</pre>96 ········<pre>$·sudo·yum·erase·vsftpd</pre>
99 ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·mount·directories·and·file·systems·to97 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
100 Windows·systems,·then·this·service·can·be·deleted·to·reduce·98 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
101 the·potential·attack·surface.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 99 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
102 ························unknown</p></div><div·class="identifiers"></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29022">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29022"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.100 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
103 #101 #
104 #·Example·Call(s):102 #·Example·Call(s):
105 #103 #
106 #·····package_remove·telnet-server104 #·····package_remove·telnet-server
107 #105 #
108 function·package_remove·{106 function·package_remove·{
  
Offset 132, 59 lines modifiedOffset 130, 60 lines modified
132 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"130 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
133 ··echo·"Aborting."131 ··echo·"Aborting."
134 ··exit·1132 ··exit·1
135 fi133 fi
  
136 }134 }
  
137 package_remove·samba135 package_remove·vsftpd
138 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29024">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29024"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·samba·is·removed136 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29125">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29125"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed
139 ··package:137 ··package:
140 ····name="{{item}}"138 ····name="{{item}}"
141 ····state=absent139 ····state=absent
142 ··with_items:140 ··with_items:
143 ····-·samba141 ····-·vsftpd
144 ··tags:142 ··tags:
145 ····-·package_samba_removed143 ····-·package_vsftpd_removed
146 ····-·unknown_severity144 ····-·unknown_severity
147 ····-·disable_strategy145 ····-·disable_strategy
148 ····-·low_complexity146 ····-·low_complexity
149 ····-·low_disruption147 ····-·low_disruption
150 ····-·CCE-27102-3148 ····-·CCE-26687-4
151 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29025">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29025"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_samba149 ····-·NIST-800-53-CM-7
 150 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29126">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29126"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd
  
152 class·remove_samba·{151 class·remove_vsftpd·{
153 ··package·{·'samba':152 ··package·{·'vsftpd':
154 ····ensure·=&gt;·'purged',153 ····ensure·=&gt;·'purged',
155 ··}154 ··}
156 }155 }
157 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29026">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29026"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>156 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29127">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29127"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
158 package·--remove=samba157 package·--remove=vsftpd
159 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server158 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server
160 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to159 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to
161 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant160 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant
162 security·risk·because:161 security·risk·because:
163 <br><br>162 <br><br>
164 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long163 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long
165 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive164 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive
166 monitoring</li></ul>165 monitoring</li></ul>
167 <br><br>166 <br><br>
168 The·system's·default·web·server·software·is·Apache·2·and·is167 The·system's·default·web·server·software·is·Apache·2·and·is
169 provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible168 provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_httpd">Disable·Apache·if·Possible
170 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system169 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·Apache·was·installed·and·activated,·but·the·system
171 does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled170 does·not·need·to·act·as·a·web·server,·then·it·should·be·disabled
172 and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm29157"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_httpd_removed">Uninstall·httpd·Package171 and·removed·from·the·system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_httpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_httpd_removed"·id="guide-tree-leaf-idm29176"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_httpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_httpd_removed">Uninstall·httpd·Package
173 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>172 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_httpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
174 ············173 ············
175 ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command:174 ········The·<code>httpd</code>·package·can·be·removed·with·the·following·command:
176 ········<pre>$·sudo·yum·erase·httpd</pre>175 ········<pre>$·sudo·yum·erase·httpd</pre>
177 ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available,176 ··········</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·no·need·to·make·the·web·server·software·available,
178 removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 177 removing·it·provides·a·safeguard·against·its·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
179 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 178 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
180 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29164">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29164"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.179 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29183">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29183"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
181 #180 #
182 #·Example·Call(s):181 #·Example·Call(s):
183 #182 #
184 #·····package_remove·telnet-server183 #·····package_remove·telnet-server
185 #184 #
186 function·package_remove·{185 function·package_remove·{
  
Offset 214, 88 lines modifiedOffset 213, 54 lines modified
214 ··echo·"Aborting."213 ··echo·"Aborting."
215 ··exit·1214 ··exit·1
216 fi215 fi
  
217 }216 }
  
218 package_remove·httpd217 package_remove·httpd
219 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29166">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29166"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·httpd·is·removed218 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29185">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29185"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·httpd·is·removed
220 ··package:219 ··package:
221 ····name="{{item}}"220 ····name="{{item}}"
222 ····state=absent221 ····state=absent
223 ··with_items:222 ··with_items:
224 ····-·httpd223 ····-·httpd
225 ··tags:224 ··tags:
226 ····-·package_httpd_removed225 ····-·package_httpd_removed
227 ····-·unknown_severity226 ····-·unknown_severity
228 ····-·disable_strategy227 ····-·disable_strategy
229 ····-·low_complexity228 ····-·low_complexity
230 ····-·low_disruption229 ····-·low_disruption
231 ····-·CCE-27133-8230 ····-·CCE-27133-8
Max diff block lines reached; 1491404/1518978 bytes (98.18%) of diff not shown.
2.15 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-CS2.html
    
Offset 56, 45 lines modifiedOffset 56, 62 lines modified
56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Example·Server·Profile</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CS2</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a[·...·truncated·by·diffoscope;·len:·1198,·SHA:·51cf316a1f51145ef5b84d4df33141a3708861da5f3329cf77ffa71a74c6142b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1198,·SHA:·bdda777e798c14415249d64418047c1cc9cd8c85417860e53ddf05c3b92b2b1b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·313·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·124·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
72 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows72 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
73 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft73 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
74 Windows·systems.·There·are·two·software·packages·that·provide74 that·passwords·and·other·data·transmitted·during·the·session·can·be
75 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of75 captured·and·that·the·session·is·vulnerable·to·hijacking.
76 command·line·tools·that·enable·a·client·system·to·access·Samba76 Therefore,·running·the·FTP·server·software·is·not·recommended.
77 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba77 <br><br>
78 service.·It·is·this·second·package·that·allows·a·Linux·system·to78 However,·there·are·some·FTP·server·configurations·which·may
79 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a79 be·appropriate·for·some·environments,·particularly·those·which
80 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by80 allow·only·read-only·anonymous·access·as·a·means·of·downloading
81 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible81 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·4·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
83 will·remain·disabled.·Do·not·enable·this·service·unless·it·is83 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
84 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print84 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions
85 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm29002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba85 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
86 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>86 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
 87 <pre>xferlog_enable=YES
 88 xferlog_std_format=NO
 89 log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to
 90 the·FTP·server·are·logged·using·the·verbose·vsftpd·log
 91 format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 92 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 93 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29067"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users
 94 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 95 by·default.·Add·or·correct·the·following·configuration·options:
 96 <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 97 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 98 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
 99 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
 100 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
 101 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
87 ············102 ············
88 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:103 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
89 ········<pre>$·sudo·chkconfig·smb·off</pre>104 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
90 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·a·Samba·server·provides·a·network-based·avenue·of·attack,·and105 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
91 should·be·disabled·if·not·needed.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 106 of·attack,·and·should·be·disabled·if·not·needed.
 107 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 108 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
92 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 109 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
93 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29009">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29009"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.110 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
94 #111 #
95 #·Example·Call(s):112 #·Example·Call(s):
96 #113 #
97 #·····service_command·enable·bluetooth114 #·····service_command·enable·bluetooth
98 #·····service_command·disable·bluetooth.service115 #·····service_command·disable·bluetooth.service
99 #116 #
100 #·····Using·xinetd:117 #·····Using·xinetd:
Offset 161, 135 lines modifiedOffset 178, 123 lines modified
161 ··else178 ··else
162 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd179 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
163 ··fi180 ··fi
164 fi181 fi
  
165 }182 }
  
166 service_command·disable·smb183 service_command·disable·vsftpd
167 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29011">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29011"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·smb184 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd
168 ··service:185 ··service:
169 ····name="{{item}}"186 ····name="{{item}}"
170 ····enabled="no"187 ····enabled="no"
171 ····state="stopped"188 ····state="stopped"
172 ··register:·service_result189 ··register:·service_result
173 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"190 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
174 ··with_items:191 ··with_items:
175 ····-·smb192 ····-·vsftpd
176 ··tags:193 ··tags:
177 ····-·service_smb_disabled194 ····-·service_vsftpd_disabled
178 ····-·unknown_severity195 ····-·unknown_severity
179 ····-·disable_strategy196 ····-·disable_strategy
180 ····-·low_complexity197 ····-·low_complexity
181 ····-·low_disruption198 ····-·low_disruption
182 ····-·CCE-27143-7199 ····-·CCE-26948-0
183 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary200 ····-·NIST-800-53-CM-7
184 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in201 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
185 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a202 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
186 <code>[global]</code>·configuration·section·and·a·series·of·user203 ············
187 created·share·definition·sections·meant·to·describe·file·or·print204 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
188 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode205 ········<pre>$·sudo·yum·erase·vsftpd</pre>
189 and·allow·client·systems·to·access·local·home·directories·and206 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
190 printers.·It·is·recommended·that·these·settings·be·changed·or·that207 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
191 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_smb_server_disable_root"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smb_server_disable_root"·id="guide-tree-leaf-idm29072"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_smb_server_disable_root">Disable·Root·Access·to·SMB·Shares 
192 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_smb_server_disable_root">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Administrators·should·not·use·administrator·accounts·to·access 
193 Samba·file·and·printer·shares.·Disable·the·root·user·and·the·wheel 
194 administrator·group: 
195 <pre>[<i>share</i>] 
196 ··invalid·users·=·root·@wheel</pre> 
197 If·administrator·accounts·cannot·be·disabled,·ensure·that·local·system 
198 passwords·and·Samba·service·passwords·do·not·match.</p><span·class="label·label-primary">Rationale:</span><p>Typically,·administrator·access·is·required·when·Samba·must·create·user·and 
199 system·accounts·and·shares.·Domain·member·servers·and·standalone·servers·may 
200 not·need·administrator·access·at·all.·If·that·is·the·case,·add·the·invalid 
201 users·parameter·to·<code>[global]</code>·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
202 ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient 
203 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
204 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
205 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
206 <pre>client·signing·=·mandatory</pre> 
207 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
208 signing·ensures·they·can 
209 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
210 man-in-the-middle·attacks·which·modify·SMB·packets·in 
211 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
212 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 208 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
213 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><pre><code>######################################################################209 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
214 #By·Luke·"Brisk-OH"·Brisk210 #
215 #luke.brisk@boeing.com·or·luke.brisk@gmail.com211 #·Example·Call(s):
216 ######################################################################212 #
 213 #·····package_remove·telnet-server
 214 #
 215 function·package_remove·{
  
217 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)216 #·Load·function·arguments·into·local·variables
 217 local·package="$1"
Max diff block lines reached; 2227557/2257794 bytes (98.66%) of diff not shown.
1.47 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-CSCF-RHEL6-MLS.html
    
Offset 61, 268 lines modifiedOffset 61, 146 lines modified
61 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in61 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
62 this·guide·without·first·testing·them·in·a·non-operational·environment.·The62 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
63 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by63 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
64 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its64 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
65 quality,·reliability,·or·any·other·characteristic.65 quality,·reliability,·or·any·other·characteristic.
66 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>66 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CSCF·RHEL6·MLS·Core·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_CSCF-RHEL6-MLS</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
67 ····························(as·of·2018-07-26)67 ····························(as·of·2018-07-26)
68 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avah[·...·truncated·by·diffoscope;·len:·769,·SHA:·3124dfdf73350166f9f7cbf4323d48d584287410c4cd751c8ee8b136e9c820f6·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services68 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SS[·...·truncated·by·diffoscope;·len:·769,·SHA:·db505ea275ff2d5c2ba13f068156b97f7fb51fc9aa062d91c74450db7783e2d3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·215·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
70 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It70 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
71 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which71 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
72 ones·can·be·safely·disabled.72 ones·can·be·safely·disabled.
73 <br><br>73 <br><br>
74 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional74 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
75 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up75 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
76 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server76 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·62·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
78 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant78 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
79 security·risk·because:79 that·passwords·and·other·data·transmitted·during·the·session·can·be
80 <br><br>80 captured·and·that·the·session·is·vulnerable·to·hijacking.
81 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long81 Therefore,·running·the·FTP·server·software·is·not·recommended.
82 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive 
83 monitoring</li></ul> 
84 <br><br> 
85 The·system's·default·web·server·software·is·Apache·2·and·is 
86 provided·in·the·RPM·package·<code>httpd</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_securing_httpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_securing_httpd">Secure·Apache·Configuration 
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_securing_httpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>httpd</code>·configuration·file·is 
88 <code>/etc/httpd/conf/httpd.conf</code>.·Apply·the·recommendations·in·the·remainder 
89 of·this·section·to·this·file.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_securing_httpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_http"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">Restrict·Web·Server·Information·Leakage 
90 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>ServerTokens</code>·and·<code>ServerSignature</code>·directives·determine·how 
91 much·information·the·web·server·discloses·about·the·configuration·of·the 
92 system.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_httpd_servertokens_prod"·id="guide-tree-leaf-idm29183"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">Set·httpd·ServerTokens·Directive·to·Prod 
93 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_httpd_servertokens_prod">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p><code>ServerTokens·Prod</code>·restricts·information·in·page·headers,·returning·only·the·word·"Apache." 
94 <br><br>82 <br><br>
95 Add·or·correct·the·following·directive·in·<code>/etc/httpd/conf/httpd.conf</code>:83 However,·there·are·some·FTP·server·configurations·which·may
96 <pre>ServerTokens·Prod</pre></p><span·class="label·label-primary">Rationale:</span><p>Information·disclosed·to·clients·about·the·configuration·of·the·web·server·and·system·could·be·used84 be·appropriate·for·some·environments,·particularly·those·which
97 to·plan·an·attack·on·the·given·system.·This·information·disclosure·should·be·restricted·to·a·minimum.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 85 allow·only·read-only·anonymous·access·as·a·means·of·downloading
98 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 86 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
99 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server">Configure·Operating·System·to·Protect·Web·Server87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
100 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·following·configuration·steps·should·be·taken·on·the·system·which·hosts·the88 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
101 web·server,·in·order·to·provide·as·safe·an·environment·as·possible·for·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_securing_httpd"><td·style="padding-left:·76px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td·style="padding-left:·95px"><h3·id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access">Restrict·File·and·Directory·Access89 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
102 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Minimize·access·to·critical·<code>httpd</code>·files·and·directories.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server"><td·style="padding-left:·95px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files"·id="guide-tree-leaf-idm29242"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files">Set·Permissions·on·All·Configuration·Files·In[·...·truncated·by·diffoscope;·len:·21,·SHA:·a654334628ce638827ebb93749447f027c2f5ab718a08056943c12357d56bb7e·...·]90 ············
103 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_file_permissions_httpd_server_conf_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Set·permissions·on·the·web·server·configuration·files·to·640:91 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
104 <pre>$·sudo·chmod·640·/etc/httpd/conf/*</pre></p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·configuration·files·may·allow·an·unauthorized·user·or·attacker92 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
105 to·access·information·about·the·web·server·or·to·alter·the·server's·configuration·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span93 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
106 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span94 of·attack,·and·should·be·disabled·if·not·needed.
107 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29248">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29248"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>95 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
108 chmod·0640·/etc/httpd/conf/*96 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
109 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29249">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29249"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code> 
110 -·name:·Find·/etc/httpd/conf/*·file(s) 
111 ··find: 
112 ····paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}" 
113 ····patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}" 
114 ··register:·files_found 
115 ··tags: 
116 ····-·file_permissions_httpd_server_conf_files 
117 ····-·unknown_severity 
118 ····-·configure_strategy 
119 ····-·low_complexity 
120 ····-·low_disruption 
121 ····-·CCE-27316-9 
122 ····-·NIST-800-53-CM-7 
  
123 -·name:·Set·permissions 
124 ··file: 
125 ····path:·"{{·item.path·}}" 
126 ····mode:·0640 
127 ··with_items: 
128 ····-·"{{·files_found.files·}}" 
129 ··tags: 
130 ····-·file_permissions_httpd_server_conf_files 
131 ····-·unknown_severity 
132 ····-·configure_strategy 
133 ····-·low_complexity 
134 ····-·low_disruption 
135 ····-·CCE-27316-9 
136 ····-·NIST-800-53-CM-7 
137 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd"·id="guide-tree-leaf-idm29252"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access"><td·style="padding-left:·114px"><h4·id="xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">Set·Permissions·on·the·/var/log/httpd/·Directory 
138 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_dir_perms_var_log_httpd">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Ensure·that·the·permissions·on·the·web·server·log·directory·is·set·to·700: 
139 <pre>$·sudo·chmod·700·/var/log/httpd/</pre> 
140 This·is·its·default·setting.</p><span·class="label·label-primary">Rationale:</span><p>Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker 
141 to·access·information·about·the·web·server·or·alter·the·server's·log·files.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
142 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 97 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
143 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software98 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
144 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. 
145 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious 
146 targets·of·network·attack. 
147 Ensure·that·systems·are·not·running·MTAs·unnecessarily, 
148 and·configure·needed·MTAs·as·defensively·as·possible. 
149 <br><br> 
150 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the 
151 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email 
152 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. 
153 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, 
154 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. 
155 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
156 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
157 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
158 <br><br> 
159 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software 
160 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. 
161 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by 
162 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. 
163 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients 
164 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only 
165 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29524"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening 
166 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following 
167 <code>inet_interfaces</code>·line·appears: 
168 <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages 
169 (such·as·cron·job·reports)·from·the·local·system·only, 
170 and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
171 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
172 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_sendmail_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_sendmail_removed"·id="guide-tree-leaf-idm29616"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_package_sendmail_removed">Uninstall·Sendmail·Package 
173 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_sendmail_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Sendmail·is·not·the·default·mail·transfer·agent·and·is 
174 not·installed·by·default. 
  
175 ········The·<code>sendmail</code>·package·can·be·removed·with·the·following·command: 
176 ········<pre>$·sudo·yum·erase·sendmail</pre></p><span·class="label·label-primary">Rationale:</span><p>The·sendmail·software·was·not·developed·with·security·in·mind·and 
177 its·design·prevents·it·from·being·effectively·contained·by·SELinux.··Postfix 
178 should·be·used·instead.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
179 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
180 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50472r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29625">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29625"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
181 #99 #
182 #·Example·Call(s):100 #·Example·Call(s):
183 #101 #
184 #·····package_remove·telnet-server102 #·····service_command·enable·bluetooth
 103 #·····service_command·disable·bluetooth.service
Max diff block lines reached; 1505603/1536645 bytes (97.98%) of diff not shown.
255 KB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-default.html
    
Offset 56, 89 lines modifiedOffset 56, 44 lines modified
56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·S[·...·truncated·by·diffoscope;·len:·1394,·SHA:·f9605989138a055136c42bc085f02de0147473f760d936bba4f0446adaf588d9·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_sssd">System·Security·Services·Daemon</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li[·...·truncated·by·diffoscope;·len:·1394,·SHA:·9a1bfb5c7765341b73597905fe9f3f980e67a77f0272acdc04afd633558c2516·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
74 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft74 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
75 Windows·systems.·There·are·two·software·packages·that·provide75 that·passwords·and·other·data·transmitted·during·the·session·can·be
76 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of76 captured·and·that·the·session·is·vulnerable·to·hijacking.
77 command·line·tools·that·enable·a·client·system·to·access·Samba77 Therefore,·running·the·FTP·server·software·is·not·recommended.
78 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba78 <br><br>
79 service.·It·is·this·second·package·that·allows·a·Linux·system·to79 However,·there·are·some·FTP·server·configurations·which·may
80 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a80 be·appropriate·for·some·environments,·particularly·those·which
81 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by81 allow·only·read-only·anonymous·access·as·a·means·of·downloading
82 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible82 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
84 will·remain·disabled.·Do·not·enable·this·service·unless·it·is84 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
85 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print85 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP
86 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary86 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in87 do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an
88 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a88 identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
89 <code>[global]</code>·configuration·section·and·a·series·of·user89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and
90 created·share·definition·sections·meant·to·describe·file·or·print90 set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
91 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode91 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
92 and·allow·client·systems·to·access·local·home·directories·and92 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server
93 printers.·It·is·recommended·that·these·settings·be·changed·or·that 
94 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_disable_printing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_disable_printing">Restrict·Printer·Sharing 
95 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_disable_printing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>By·default,·Samba·utilizes·the·CUPS·printing·service·to·enable 
96 printer·sharing·with·Microsoft·Windows·workstations.·If·there·are·no·printers 
97 on·the·local·system,·or·if·printer·sharing·with·Microsoft·Windows·is·not 
98 required,·disable·the·printer·sharing·capability·by·commenting·out·the 
99 following·lines,·found·in·<code>/etc/samba/smb.conf</code>: 
100 <pre>[global] 
101 ··load·printers·=·yes 
102 ··cups·options·=·raw 
103 [printers] 
104 ··comment·=·All·Printers 
105 ··path·=·/usr/spool/samba 
106 ··browseable·=·no 
107 ··guest·ok·=·no 
108 ··writable·=·no 
109 ··printable·=·yes</pre> 
110 There·may·be·other·options·present,·but·these·are·the·only·options·enabled·and 
111 uncommented·by·default.·Removing·the·<code>[printers]</code>·share·should·be·enough 
112 for·most·users.··If·the·Samba·printer·sharing·capability·is·needed,·consider 
113 disabling·the·Samba·network·browsing·capability·or·restricting·access·to·a 
114 particular·set·of·users·or·network·addresses.·Set·the·<code>valid·users</code> 
115 parameter·to·a·small·subset·of·users·or·restrict·it·to·a·particular·group·of 
116 users·with·the·shorthand·<code>@</code>.·Separate·each·user·or·group·of·users·with 
117 a·space.·For·example,·under·the·<code>[printers]</code>·share: 
118 <pre>[printers] 
119 ··valid·users·=·user·@printerusers</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_disable_printing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">Restrict·SMB·File·Sharing·to·Configured·Networks 
120 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Only·users·with·local·user·accounts·will·be·able·to·log·in·to 
121 Samba·shares·by·default.·Shares·can·be·limited·to·particular·users·or·network 
122 addresses.·Use·the·<code>hosts·allow</code>·and·<code>hosts·deny</code>·directives 
123 accordingly,·and·consider·setting·the·valid·users·directive·to·a·limited·subset 
124 of·users·or·to·a·group·of·users.·Separate·each·address,·user,·or·user·group 
125 with·a·space·as·follows·for·a·particular·<i>share</i>·or·global: 
126 <pre>[<i>share</i>] 
127 ··hosts·allow·=·192.168.1.·127.0.0.1 
128 ··valid·users·=·userone·usertwo·@usergroup</pre> 
129 It·is·also·possible·to·limit·read·and·write·access·to·particular·users·with·the 
130 read·list·and·write·list·options,·though·the·permissions·set·by·the·system 
131 itself·will·override·these·settings.·Set·the·read·only·attribute·for·each·share 
132 to·ensure·that·global·settings·will·not·accidentally·override·the·individual 
133 share·settings.·Then,·as·with·the·valid·users·directive,·separate·each·user·or 
134 group·of·users·with·a·space: 
135 <pre>[<i>share</i>] 
136 ··read·only·=·yes 
137 ··write·list·=·userone·usertwo·@usergroup</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb_restrict_file_sharing"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server 
138 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to93 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to
139 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant94 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant
140 security·risk·because:95 security·risk·because:
141 <br><br>96 <br><br>
142 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long97 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long
143 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive98 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive
144 monitoring</li></ul>99 monitoring</li></ul>
Offset 351, 165 lines modifiedOffset 306, 179 lines modified
351 <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration306 <pre>#LoadModule·ext_filter_module·modules/mod_ext_filter.so</pre></li><li>User-specified·Cache·Control·and·Expiration
352 <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery)307 <pre>#LoadModule·expires_module·modules/mod_expires.so</pre></li><li>Compression·Output·Filter·(provides·content·compression·prior·to·client·delivery)
353 <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization308 <pre>#LoadModule·deflate_module·modules/mod_deflate.so</pre></li><li>HTTP·Response/Request·Header·Customization
354 <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies309 <pre>#LoadModule·headers_module·modules/mod_headers.so</pre></li><li>User·activity·monitoring·via·cookies
355 <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting310 <pre>#LoadModule·usertrack_module·modules/mod_usertrack.so</pre></li><li>Dynamically·configured·mass·virtual·hosting
356 <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul>311 <pre>#LoadModule·vhost_alias_module·modules/mod_vhost_alias.so</pre></li></ul>
357 Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk312 Minimizing·the·number·of·loadable·modules·available·to·the·web·server·reduces·risk
358 by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software313 by·limiting·the·capabilities·allowed·by·the·web·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_httpd_optional_components"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_httpd_core_modules"><td·style="padding-left:·114px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dns">DNS·Server
359 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network.314 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Most·organizations·have·an·operational·need·to·run·at
360 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious315 least·one·nameserver.·However,·there·are·many·common·attacks
361 targets·of·network·attack.316 involving·DNS·server·software,·and·this·server·software·should
362 Ensure·that·systems·are·not·running·MTAs·unnecessarily,317 be·disabled·on·any·system
363 and·configure·needed·MTAs·as·defensively·as·possible.318 on·which·it·is·not·needed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_isolation"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_isolation">Isolate·DNS·from·Other·Services
364 <br><br>319 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_isolation">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·mechanisms·for·preventing·the·DNS·server
365 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the320 from·interfering·with·other·services.·This·is·done·both·to·protect·the
366 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email321 remainder·of·the·network·should·a·nameserver·be·compromised,·and·to·make·direct
367 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3.322 attacks·on·nameservers·more·difficult.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_chroot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_chroot">Run·DNS·Software·in·a·chroot·Jail
368 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email,323 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_chroot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Install·the·<code>bind-chroot</code>·package:
369 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator.324 <pre>$·sudo·yum·install·bind-chroot</pre>
370 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from325 Place·a·valid·named.conf·file·inside·the·chroot·jail:
371 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account),326 <pre>$·sudo·cp·/etc/named.conf·/var/named/chroot/etc/named.conf
372 but·the·system·still·cannot·receive·mail·directly·over·a·network.327 $·sudo·chown·root:root·/var/named/chroot/etc/named.conf
373 <br><br>328 $·sudo·chmod·644·/var/named/chroot/etc/named.conf</pre>
374 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software329 Create·and·populate·an·appropriate·zone·directory·within·the·jail,·based·on·the
375 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred.330 options·directive.·If·your·<code>named.conf</code>·includes:
376 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by331 <pre>options·{
377 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions.332 directory·"/path/to/DIRNAME·";
378 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients333 ...
379 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only334 }</pre>
380 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_harden_os"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_harden_os"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_harden_os">Configure·Operating·System·to·Protect·Mail·Server335 then·copy·that·directory·and·its·contents·from·the·original·zone·directory:
381 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_harden_os">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·guidance·in·this·section·is·appropriate·for·any·host·which·is336 <pre>$·sudo·cp·-r·/path/to/DIRNAME·/var/named/chroot/DIRNAME</pre>
382 operating·as·a·site·MTA,·whether·the·mail·server·runs·using·Sendmail,·Postfix,337 Add·or·correct·the·following·line·within·<code>/etc/sysconfig/named</code>:
383 or·some·other·software.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs">Configure·SSL·Certificates·for·Use·with·SMTP·AUTH338 <pre>ROOTDIR=/var/named/chroot</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_chroot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_dedicated"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_dedicated">Run·DNS·Software·on·Dedicated·Servers
384 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·SMTP·AUTH·is·to·be·used,·the·use·of·SSL·to·protect·credentials·in·transit·is·strongly·recommended.339 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dns_server_dedicated">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Since·DNS·is
385 There·are·also·configurations·for·which·it·may·be·desirable·to·encrypt·all·mail·in·transit·from·one·MTA·to·another,340 a·high-risk·service·which·must·frequently·be·made·available·to·the·entire
386 though·such·configurations·are·beyond·the·scope·of·this·guide.·In·either·event,·the·steps·for·creating·and·installing341 Internet,·it·is·strongly·recommended·that·no·other·services·be·offered·by
387 an·SSL·certificate·are·independent·of·the·MTA·in·use,·and·are·described·here.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_harden_os"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_install_ssl_cert"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs"><td·style="padding-left:·95px"><h3·id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert">Ensure·Security·of·Postfix·SSL·Certificate342 machines·which·act·as·organizational·DNS·servers.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dns_server_dedicated"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns_server_isolation"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dns_server_protection"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dns_server_protection"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dns"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_dns_server_protection">Protect·DNS·Data·from·Tampering·or·Attack
Max diff block lines reached; 198673/261308 bytes (76.03%) of diff not shown.
1.52 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-desktop.html
    
Offset 57, 45 lines modifiedOffset 57, 45 lines modified
57 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in57 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
61 quality,·reliability,·or·any·other·characteristic.61 quality,·reliability,·or·any·other·characteristic.
62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Desktop·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_desktop</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
63 ····························(as·of·2018-07-26)63 ····························(as·of·2018-07-26)
64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·1034,·SHA:·985d77cbb1354040badea5ab3b500f53cf1a38fb7eaccb8d6cd1d71f33e9ba4b·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1034,·SHA:·1b10be6148833f42610be20bd7d90e370d8d04968a079fa39af8874411e4f268·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·206·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·63·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
74 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft74 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
75 Windows·systems.·There·are·two·software·packages·that·provide75 that·passwords·and·other·data·transmitted·during·the·session·can·be
76 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of76 captured·and·that·the·session·is·vulnerable·to·hijacking.
77 command·line·tools·that·enable·a·client·system·to·access·Samba77 Therefore,·running·the·FTP·server·software·is·not·recommended.
78 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba78 <br><br>
79 service.·It·is·this·second·package·that·allows·a·Linux·system·to79 However,·there·are·some·FTP·server·configurations·which·may
80 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a80 be·appropriate·for·some·environments,·particularly·those·which
81 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by81 allow·only·read-only·anonymous·access·as·a·means·of·downloading
82 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible82 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
84 will·remain·disabled.·Do·not·enable·this·service·unless·it·is84 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
85 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print85 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
86 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm29002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba 
87 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> 
88 ············86 ············
89 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:87 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
90 ········<pre>$·sudo·chkconfig·smb·off</pre>88 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
91 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·a·Samba·server·provides·a·network-based·avenue·of·attack,·and89 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
92 should·be·disabled·if·not·needed.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 90 of·attack,·and·should·be·disabled·if·not·needed.
 91 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 92 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
94 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29009">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29009"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.94 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
95 #95 #
96 #·Example·Call(s):96 #·Example·Call(s):
97 #97 #
98 #·····service_command·enable·bluetooth98 #·····service_command·enable·bluetooth
99 #·····service_command·disable·bluetooth.service99 #·····service_command·disable·bluetooth.service
100 #100 #
101 #·····Using·xinetd:101 #·····Using·xinetd:
Offset 162, 124 lines modifiedOffset 162, 123 lines modified
162 ··else162 ··else
163 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd163 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
164 ··fi164 ··fi
165 fi165 fi
  
166 }166 }
  
167 service_command·disable·smb167 service_command·disable·vsftpd
168 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29011">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29011"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·smb168 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd
169 ··service:169 ··service:
170 ····name="{{item}}"170 ····name="{{item}}"
171 ····enabled="no"171 ····enabled="no"
172 ····state="stopped"172 ····state="stopped"
173 ··register:·service_result173 ··register:·service_result
174 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"174 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
175 ··with_items:175 ··with_items:
176 ····-·smb176 ····-·vsftpd
177 ··tags:177 ··tags:
178 ····-·service_smb_disabled178 ····-·service_vsftpd_disabled
179 ····-·unknown_severity179 ····-·unknown_severity
180 ····-·disable_strategy180 ····-·disable_strategy
181 ····-·low_complexity181 ····-·low_complexity
182 ····-·low_disruption182 ····-·low_disruption
183 ····-·CCE-27143-7183 ····-·CCE-26948-0
184 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary184 ····-·NIST-800-53-CM-7
185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in185 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
186 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a186 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
187 <code>[global]</code>·configuration·section·and·a·series·of·user187 ············
188 created·share·definition·sections·meant·to·describe·file·or·print188 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
189 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode189 ········<pre>$·sudo·yum·erase·vsftpd</pre>
190 and·allow·client·systems·to·access·local·home·directories·and190 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
191 printers.·It·is·recommended·that·these·settings·be·changed·or·that191 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
192 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient 
193 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
194 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
195 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
196 <pre>client·signing·=·mandatory</pre> 
197 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
198 signing·ensures·they·can 
199 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
200 man-in-the-middle·attacks·which·modify·SMB·packets·in 
201 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
202 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 192 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
203 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><pre><code>######################################################################193 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
204 #By·Luke·"Brisk-OH"·Brisk194 #
205 #luke.brisk@boeing.com·or·luke.brisk@gmail.com195 #·Example·Call(s):
206 ######################################################################196 #
 197 #·····package_remove·telnet-server
 198 #
 199 function·package_remove·{
  
207 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)200 #·Load·function·arguments·into·local·variables
 201 local·package="$1"
  
208 if·[·"$CLIENTSIGNING"·-eq·0·];··then202 #·Check·sanity·of·the·input
209 »       #·Add·to·global·section203 if·[·$#·-ne·"1"·]
210 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf204 then
 205 ··echo·"Usage:·package_remove·'package_name'"
 206 ··echo·"Aborting."
 207 ··exit·1
 208 fi
  
 209 if·which·dnf·;·then
 210 ··if·rpm·-q·--quiet·"$package";·then
 211 ····dnf·remove·-y·"$package"
 212 ··fi
 213 elif·which·yum·;·then
 214 ··if·rpm·-q·--quiet·"$package";·then
 215 ····yum·remove·-y·"$package"
 216 ··fi
 217 elif·which·apt-get·;·then
 218 ··apt-get·remove·-y·"$package"
211 else219 else
212 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf220 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 221 ··echo·"Aborting."
 222 ··exit·1
213 fi223 fi
214 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists 
215 ··stat: 
Max diff block lines reached; 1564541/1590373 bytes (98.38%) of diff not shown.
1.48 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-fisma-medium-rhel6-server.html
    
Offset 56, 15 lines modifiedOffset 56, 15 lines modified
56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FISMA·Medium·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_fisma-medium-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·[·...·truncated·by·diffoscope;·len:·81,·SHA:·e40bd79f1fd9eb150f341bd639fb375c20752df2c72fcb82d1b970a8a17b24d7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·81,·SHA:·4c0efd7fd5ff299a2185037a736930f562109fd8f8ac833d06c44618aa2adc79·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·211·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 91, 15 lines modifiedOffset 91, 15 lines modified
91 <br><br>91 <br><br>
92 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP92 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP
93 servers,·and·the·remainder·obtaining·time·information·from·those93 servers,·and·the·remainder·obtaining·time·information·from·those
94 internal·servers.94 internal·servers.
95 <br><br>95 <br><br>
96 More·information·on·how·to·configure·the·NTP·server·software,96 More·information·on·how·to·configure·the·NTP·server·software,
97 including·configuration·of·cryptographic·authentication·for97 including·configuration·of·cryptographic·authentication·for
98 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29889"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon98 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29837"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon
99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
100 ··········100 ··········
101 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:101 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
102 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>102 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>
103 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>103 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>
104 service·will·be·running·and·that·the·system·will·synchronize·its·time·to104 service·will·be·running·and·that·the·system·will·synchronize·its·time·to
105 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be105 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be
Offset 108, 15 lines modifiedOffset 108, 15 lines modified
108 services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate108 services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate
109 logs·and·auditing·possible·security·breaches.··109 logs·and·auditing·possible·security·breaches.··
110 <br><br>110 <br><br>
111 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·111 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·
112 deprecated.··Additional·information·on·this·is·available·at·112 deprecated.··Additional·information·on·this·is·available·at·
113 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 113 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
114 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 114 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
115 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29906">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29906"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.115 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29854">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29854"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
116 #116 #
117 #·Example·Call(s):117 #·Example·Call(s):
118 #118 #
119 #·····service_command·enable·bluetooth119 #·····service_command·enable·bluetooth
120 #·····service_command·disable·bluetooth.service120 #·····service_command·disable·bluetooth.service
121 #121 #
122 #·····Using·xinetd:122 #·····Using·xinetd:
Offset 184, 15 lines modifiedOffset 184, 15 lines modified
184 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd184 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
185 ··fi185 ··fi
186 fi186 fi
  
187 }187 }
  
188 service_command·enable·ntpd188 service_command·enable·ntpd
189 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29908">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29908"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd189 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd
190 ··service:190 ··service:
191 ····name="{{item}}"191 ····name="{{item}}"
192 ····enabled="yes"192 ····enabled="yes"
193 ····state="started"193 ····state="started"
194 ··with_items:194 ··with_items:
195 ····-·ntpd195 ····-·ntpd
196 ··tags:196 ··tags:
Offset 201, 35 lines modifiedOffset 201, 248 lines modified
201 ····-·enable_strategy201 ····-·enable_strategy
202 ····-·low_complexity202 ····-·low_complexity
203 ····-·low_disruption203 ····-·low_disruption
204 ····-·CCE-27093-4204 ····-·CCE-27093-4
205 ····-·NIST-800-53-AU-8(1)205 ····-·NIST-800-53-AU-8(1)
206 ····-·PCI-DSS-Req-10.4206 ····-·PCI-DSS-Req-10.4
207 ····-·DISA-STIG-RHEL-06-000247207 ····-·DISA-STIG-RHEL-06-000247
208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29913"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers
209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization
210 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the210 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the
211 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for211 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for
212 <em>ntpserver</em>:212 <em>ntpserver</em>:
213 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of213 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of
214 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes214 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes
215 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for215 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for
216 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 216 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
217 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 217 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
218 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29925"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server218 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29873"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server
219 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit219 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit
220 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,220 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,
221 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:221 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:
222 <pre>server·<i>ntpserver</i></pre>222 <pre>server·<i>ntpserver</i></pre>
223 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time223 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time
224 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible224 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible
225 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with225 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with
226 real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 226 real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
227 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 227 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
228 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services228 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50422r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons
 229 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to
 230 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost
 231 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or
 232 may·not·be·required·on·a·given·system.·Both·daemons·should·be
 233 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_crond_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_crond_enabled"·id="guide-tree-leaf-idm30086"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_crond_enabled">Enable·cron·Service
 234 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_crond_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>crond</code>·service·is·used·to·execute·commands·at
 235 preconfigured·times.·It·is·required·by·almost·all·systems·to·perform·necessary
 236 maintenance·tasks,·such·as·notifying·root·of·system·activity.
  
 237 ········The·<code>crond</code>·service·can·be·enabled·with·the·following·command:
 238 ········<pre>$·sudo·chkconfig·--level·2345·crond·on</pre></p><span·class="label·label-primary">Rationale:</span><p>Due·to·its·usage·for·maintenance·and·security-supporting·tasks,
 239 enabling·the·cron·daemon·is·essential.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 240 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 241 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50406r2_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm30096">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30096"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 242 #
 243 #·Example·Call(s):
 244 #
 245 #·····service_command·enable·bluetooth
 246 #·····service_command·disable·bluetooth.service
 247 #
 248 #·····Using·xinetd:
 249 #·····service_command·disable·rsh.socket·xinetd=rsh
 250 #
 251 function·service_command·{
  
 252 #·Load·function·arguments·into·local·variables
 253 local·service_state=$1
 254 local·service=$2
 255 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 256 #·Check·sanity·of·the·input
 257 if·[·$#·-lt·"2"·]
 258 then
 259 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 260 ··echo
Max diff block lines reached; 1517700/1549558 bytes (97.94%) of diff not shown.
1.36 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-ftp-server.html
    
Offset 56, 23 lines modifiedOffset 56, 140 lines modified
56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>FTP·Server·Profile·(vsftpd)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_ftp-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="[·...·truncated·by·diffoscope;·len:·734,·SHA:·1f08c4e9f3a384d6ec4b26a81613c923ba42116513facbf12303cf00da55fab1·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="[·...·truncated·by·diffoscope;·len:·734,·SHA:·25c03cfca8c8e7566953764cd9421d66561e88aec462809a5f7eec462db2bd40·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·192·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·51·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
 72 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
 73 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
 74 that·passwords·and·other·data·transmitted·during·the·session·can·be
 75 captured·and·that·the·session·is·vulnerable·to·hijacking.
 76 Therefore,·running·the·FTP·server·software·is·not·recommended.
 77 <br><br>
 78 However,·there·are·some·FTP·server·configurations·which·may
 79 be·appropriate·for·some·environments,·particularly·those·which
 80 allow·only·read-only·anonymous·access·as·a·means·of·downloading
 81 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
 82 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
 83 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
 84 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_restrict_users"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_ftp_restrict_users">Restrict·the·Set·of·Users·Allowed·to·Access·FTP
 85 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_restrict_users">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·describes·how·to·disable·non-anonymous·(password-based)·FTP·logins,·or,·if·it·is·not·possible·to
 86 do·this·entirely·due·to·legacy·applications,·how·to·restrict·insecure·FTP·login·to·only·those·users·who·have·an
 87 identified·need·for·this·access.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon"·id="guide-tree-leaf-idm29006"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_restrict_users"><td·style="padding-left:·95px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">Restrict·Access·to·Anonymous·Users·if·Possible
 88 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_restrict_to_anon">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than
 89 using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option:
 90 <pre>local_enable=NO</pre>
 91 If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure
 92 these·logins·as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 94 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_home_partition"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_home_partition"·id="guide-tree-leaf-idm29042"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_home_partition">Place·the·FTP·Home·Directory·on·its·Own·Partition
 95 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_home_partition">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can
 96 be·used·to·verify·that·this·directory·is·on·its·own·partition.</p><span·class="label·label-primary">Rationale:</span><p>If·there·is·a·mission-critical·reason·for·anonymous·users·to·upload·files,·precautions·must·be·taken·to·prevent
 97 these·users·from·filling·a·disk·used·by·other·services.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 98 ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions
 99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
 100 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
 101 <pre>xferlog_enable=YES
 102 xferlog_std_format=NO
 103 log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to
 104 the·FTP·server·are·logged·using·the·verbose·vsftpd·log
 105 format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 106 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 107 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_disable_uploads"·id="guide-tree-leaf-idm29060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_disable_uploads">Disable·FTP·Uploads·if·Possible
 108 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_disable_uploads">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not,
 109 edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options:
 110 <pre>write_enable=NO</pre>
 111 If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions
 112 as·much·as·possible.</p><span·class="label·label-primary">Rationale:</span><p>Anonymous·FTP·can·be·a·convenient·way·to·make·files·available·for·universal·download.·However,·it·is·less
 113 common·to·have·a·need·to·allow·unauthenticated·users·to·place·files·on·the·FTP·server.·If·this·must·be·done,·it
 114 is·necessary·to·ensure·that·files·cannot·be·uploaded·and·downloaded·from·the·same·directory.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 115 ························unknown</p></div><div·class="identifiers"></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29067"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users
 116 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 117 by·default.·Add·or·correct·the·following·configuration·options:
 118 <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 119 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 120 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
 121 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_use_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·your·use-case·requires·FTP·service,·install·and
 122 set-up·vsftpd·to·provide·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_installed"·id="guide-tree-leaf-idm29083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_use_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_installed">Install·vsftpd·Package
 123 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_installed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels.
 124 <pre>$·sudo·yum·install·vsftpd</pre></p><span·class="label·label-primary">Rationale:</span><p>After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security
 125 and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 126 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 127 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 128 #
 129 #·Example·Call(s):
 130 #
 131 #·····package_install·aide
 132 #
 133 function·package_install·{
  
 134 #·Load·function·arguments·into·local·variables
 135 local·package="$1"
  
 136 #·Check·sanity·of·the·input
 137 if·[·$#·-ne·"1"·]
 138 then
 139 ··echo·"Usage:·package_install·'package_name'"
 140 ··echo·"Aborting."
 141 ··exit·1
 142 fi
  
 143 if·which·dnf·;·then
 144 ··if·!·rpm·-q·--quiet·"$package";·then
 145 ····dnf·install·-y·"$package"
 146 ··fi
 147 elif·which·yum·;·then
 148 ··if·!·rpm·-q·--quiet·"$package";·then
 149 ····yum·install·-y·"$package"
 150 ··fi
 151 elif·which·apt-get·;·then
 152 ··apt-get·install·-y·"$package"
 153 else
 154 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 155 ··echo·"Aborting."
 156 ··exit·1
 157 fi
  
 158 }
  
 159 package_install·vsftpd
 160 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29092">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29092"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·installed
 161 ··package:
 162 ····name="{{item}}"
 163 ····state=present
 164 ··with_items:
 165 ····-·vsftpd
 166 ··tags:
 167 ····-·package_vsftpd_installed
 168 ····-·unknown_severity
 169 ····-·enable_strategy
 170 ····-·low_complexity
 171 ····-·low_disruption
 172 ····-·CCE-27187-4
 173 ····-·NIST-800-53-CM-7
 174 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29093">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29093"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include·install_vsftpd
  
 175 class·install_vsftpd·{
 176 ··package·{·'vsftpd':
Max diff block lines reached; 1399001/1424926 bytes (98.18%) of diff not shown.
1.91 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-nist-CL-IL-AL.html
    
Offset 61, 125 lines modifiedOffset 61, 125 lines modified
61 this·guide·without·first·testing·them·in·a·non-operational·environment.·The61 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
62 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by62 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
63 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its63 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
64 quality,·reliability,·or·any·other·characteristic.64 quality,·reliability,·or·any·other·characteristic.
65 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat·65 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>CNSSI·1253·Low/Low/Low·Control·Baseline·for·Red·Hat·
66 Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>66 Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_nist-CL-IL-AL</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
67 ····························(as·of·2018-07-26)67 ····························(as·of·2018-07-26)
68 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org[·...·truncated·by·diffoscope;·len:·879,·SHA:·21ff6503618adec4c4c9c4a0ed6e669d5b889b87c0da4727c50ebdf28eb0b4ae·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services68 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org[·...·truncated·by·diffoscope;·len:·879,·SHA:·a9e3098c4894efb85e37b60670bbc0450483217500119b1f1ca43a0e1222a6a3·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·270·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review69 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
70 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It70 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
71 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which71 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
72 ones·can·be·safely·disabled.72 ones·can·be·safely·disabled.
73 <br><br>73 <br><br>
74 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional74 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
75 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up75 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
76 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server76 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·76·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows77 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
78 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft78 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
79 Windows·systems.·There·are·two·software·packages·that·provide79 that·passwords·and·other·data·transmitted·during·the·session·can·be
80 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of80 captured·and·that·the·session·is·vulnerable·to·hijacking.
81 command·line·tools·that·enable·a·client·system·to·access·Samba81 Therefore,·running·the·FTP·server·software·is·not·recommended.
82 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba82 <br><br>
83 service.·It·is·this·second·package·that·allows·a·Linux·system·to83 However,·there·are·some·FTP·server·configurations·which·may
84 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a84 be·appropriate·for·some·environments,·particularly·those·which
85 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by85 allow·only·read-only·anonymous·access·as·a·means·of·downloading
86 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary86 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
88 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a88 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
89 <code>[global]</code>·configuration·section·and·a·series·of·user89 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
90 created·share·definition·sections·meant·to·describe·file·or·print90 ············
91 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode91 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
92 and·allow·client·systems·to·access·local·home·directories·and92 ········<pre>$·sudo·yum·erase·vsftpd</pre>
93 printers.·It·is·recommended·that·these·settings·be·changed·or·that93 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
94 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient94 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span
95 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
96 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
97 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
98 <pre>client·signing·=·mandatory</pre> 
99 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
100 signing·ensures·they·can 
101 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
102 man-in-the-middle·attacks·which·modify·SMB·packets·in 
103 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
104 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 95 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
105 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><pre><code>######################################################################96 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
106 #By·Luke·"Brisk-OH"·Brisk97 #
107 #luke.brisk@boeing.com·or·luke.brisk@gmail.com98 #·Example·Call(s):
108 ######################################################################99 #
 100 #·····package_remove·telnet-server
 101 #
 102 function·package_remove·{
  
109 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)103 #·Load·function·arguments·into·local·variables
 104 local·package="$1"
  
110 if·[·"$CLIENTSIGNING"·-eq·0·];··then105 #·Check·sanity·of·the·input
111 »       #·Add·to·global·section106 if·[·$#·-ne·"1"·]
112 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf107 then
 108 ··echo·"Usage:·package_remove·'package_name'"
 109 ··echo·"Aborting."
 110 ··exit·1
 111 fi
  
 112 if·which·dnf·;·then
 113 ··if·rpm·-q·--quiet·"$package";·then
 114 ····dnf·remove·-y·"$package"
 115 ··fi
 116 elif·which·yum·;·then
 117 ··if·rpm·-q·--quiet·"$package";·then
 118 ····yum·remove·-y·"$package"
 119 ··fi
 120 elif·which·apt-get·;·then
 121 ··apt-get·remove·-y·"$package"
113 else122 else
114 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf123 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 124 ··echo·"Aborting."
 125 ··exit·1
115 fi126 fi
116 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists 
117 ··stat: 
118 ····path:·/etc/samba/smb.conf 
119 ··register:·st_smb 
120 ··tags: 
121 ····-·require_smb_client_signing 
122 ····-·unknown_severity 
123 ····-·configure_strategy 
124 ····-·low_complexity 
125 ····-·medium_disruption 
126 ····-·CCE-26328-5 
127 ····-·DISA-STIG-RHEL-06-000272 
  
128 -·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient127 }
129 ··lineinfile: 
130 ····dest:·/etc/samba/smb.conf128 package_remove·vsftpd
131 ····line:·client·signing·=·mandatory129 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29125">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29125"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·vsftpd·is·removed
132 ····state:·present130 ··package:
133 ····insertafter:·[global]131 ····name="{{item}}"
134 ··when:·st_smb.stat.exists132 ····state=absent
 133 ··with_items:
 134 ····-·vsftpd
135 ··tags:135 ··tags:
136 ····-·require_smb_client_signing136 ····-·package_vsftpd_removed
137 ····-·unknown_severity137 ····-·unknown_severity
138 ····-·configure_strategy138 ····-·disable_strategy
139 ····-·low_complexity139 ····-·low_complexity
140 ····-·medium_disruption140 ····-·low_disruption
141 ····-·CCE-26328-5141 ····-·CCE-26687-4
142 ····-·DISA-STIG-RHEL-06-000272142 ····-·NIST-800-53-CM-7
143 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs143 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29126">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29126"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_vsftpd
144 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba 
145 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares144 class·remove_vsftpd·{
146 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either145 ··package·{·'vsftpd':
147 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.146 ····ensure·=&gt;·'purged',
148 <br><br>147 ··}
149 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba148 }
150 client·should·only·communicate·with·servers·who·can·support·SMB149 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29127">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29127"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
151 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle150 package·--remove=vsftpd
152 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 151 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server
153 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
154 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_http"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_http"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_http">Web·Server 
155 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to152 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_http">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·web·server·is·responsible·for·providing·access·to
156 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant153 content·via·the·HTTP·protocol.·Web·servers·represent·a·significant
157 security·risk·because:154 security·risk·because:
158 <br><br>155 <br><br>
159 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long156 <ul><li>The·HTTP·port·is·commonly·probed·by·malicious·sources</li><li>Web·server·software·is·very·complex,·and·includes·a·long
160 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive157 history·of·vulnerabilities</li><li>The·HTTP·protocol·is·unencrypted·and·vulnerable·to·passive
161 monitoring</li></ul>158 monitoring</li></ul>
Max diff block lines reached; 1979883/2003660 bytes (98.81%) of diff not shown.
770 KB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-pci-dss.html
    
Offset 56, 15 lines modifiedOffset 56, 15 lines modified
56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>PCI-DSS·v3·Control·Baseline·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 91, 15 lines modifiedOffset 91, 15 lines modified
91 <br><br>91 <br><br>
92 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP92 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP
93 servers,·and·the·remainder·obtaining·time·information·from·those93 servers,·and·the·remainder·obtaining·time·information·from·those
94 internal·servers.94 internal·servers.
95 <br><br>95 <br><br>
96 More·information·on·how·to·configure·the·NTP·server·software,96 More·information·on·how·to·configure·the·NTP·server·software,
97 including·configuration·of·cryptographic·authentication·for97 including·configuration·of·cryptographic·authentication·for
98 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29889"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon98 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29837"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon
99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>99 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
100 ··········100 ··········
101 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:101 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
102 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>102 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>
103 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>103 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>
104 service·will·be·running·and·that·the·system·will·synchronize·its·time·to104 service·will·be·running·and·that·the·system·will·synchronize·its·time·to
105 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be105 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be
Offset 108, 15 lines modifiedOffset 108, 15 lines modified
108 services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate108 services·such·as·Kerberos,·but·it·is·also·important·for·maintaining·accurate
109 logs·and·auditing·possible·security·breaches.··109 logs·and·auditing·possible·security·breaches.··
110 <br><br>110 <br><br>
111 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·111 The·NTP·daemon·offers·all·of·the·functionality·of·<code>ntpdate</code>,·which·is·now·
112 deprecated.··Additional·information·on·this·is·available·at·112 deprecated.··Additional·information·on·this·is·available·at·
113 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 113 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
114 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 114 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
115 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29906">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29906"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.115 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000056</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50421r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29854">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29854"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
116 #116 #
117 #·Example·Call(s):117 #·Example·Call(s):
118 #118 #
119 #·····service_command·enable·bluetooth119 #·····service_command·enable·bluetooth
120 #·····service_command·disable·bluetooth.service120 #·····service_command·disable·bluetooth.service
121 #121 #
122 #·····Using·xinetd:122 #·····Using·xinetd:
Offset 184, 15 lines modifiedOffset 184, 15 lines modified
184 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd184 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
185 ··fi185 ··fi
186 fi186 fi
  
187 }187 }
  
188 service_command·enable·ntpd188 service_command·enable·ntpd
189 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29908">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29908"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd189 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29856">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29856"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>-·name:·Enable·service·ntpd
190 ··service:190 ··service:
191 ····name="{{item}}"191 ····name="{{item}}"
192 ····enabled="yes"192 ····enabled="yes"
193 ····state="started"193 ····state="started"
194 ··with_items:194 ··with_items:
195 ····-·ntpd195 ····-·ntpd
196 ··tags:196 ··tags:
Offset 201, 25 lines modifiedOffset 201, 25 lines modified
201 ····-·enable_strategy201 ····-·enable_strategy
202 ····-·low_complexity202 ····-·low_complexity
203 ····-·low_disruption203 ····-·low_disruption
204 ····-·CCE-27093-4204 ····-·CCE-27093-4
205 ····-·NIST-800-53-AU-8(1)205 ····-·NIST-800-53-AU-8(1)
206 ····-·PCI-DSS-Req-10.4206 ····-·PCI-DSS-Req-10.4
207 ····-·DISA-STIG-RHEL-06-000247207 ····-·DISA-STIG-RHEL-06-000247
208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29913"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers208 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm29861"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers
209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization209 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Additional·NTP·servers·can·be·specified·for·time·synchronization
210 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the210 in·the·file·<code>/etc/ntp.conf</code>.··To·do·so,·add·additional·lines·of·the
211 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for211 following·form,·substituting·the·IP·address·or·hostname·of·a·remote·NTP·server·for
212 <em>ntpserver</em>:212 <em>ntpserver</em>:
213 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of213 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of
214 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes214 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes
215 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for215 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for
216 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 216 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
217 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 217 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
218 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29925"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server218 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server"·id="guide-tree-leaf-idm29873"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server
219 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit219 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·specify·a·remote·NTP·server·for·time·synchronization,·edit
220 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,220 the·file·<code>/etc/ntp.conf</code>.·Add·or·correct·the·following·lines,
221 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:221 substituting·the·IP·or·hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:
222 <pre>server·<i>ntpserver</i></pre>222 <pre>server·<i>ntpserver</i></pre>
223 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time223 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time
224 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible224 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible
225 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with225 to·collate·system·logs·from·multiple·sources·or·correlate·computer·events·with
Offset 234, 15 lines modifiedOffset 234, 15 lines modified
234 detailed·documentation·is·available·from·its·website,234 detailed·documentation·is·available·from·its·website,
235 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and235 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·is·called·<code>sshd</code>·and
236 provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary236 provided·by·the·RPM·package·<code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary
237 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then237 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
238 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration238 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
239 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be239 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
240 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more240 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
241 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31319"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval241 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm31843"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
242 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout242 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout
243 interval.243 interval.
244 After·this·interval·has·passed,·the·idle·user·will·be244 After·this·interval·has·passed,·the·idle·user·will·be
245 automatically·logged·out.245 automatically·logged·out.
246 <br><br>246 <br><br>
247 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as247 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
248 follows:248 follows:
Offset 253, 23 lines modifiedOffset 253, 23 lines modified
253 If·a·shorter·timeout·has·already·been·set·for·the·login253 If·a·shorter·timeout·has·already·been·set·for·the·login
254 shell,·that·value·will·preempt·any·SSH254 shell,·that·value·will·preempt·any·SSH
255 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH255 setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
256 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out256 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Causing·idle·users·to·be·automatically·logged·out
257 guards·against·compromises·one·system·leading·trivially257 guards·against·compromises·one·system·leading·trivially
258 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 258 to·compromises·on·another.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
259 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 259 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
260 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm31340">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31340"><pre><code>260 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000879</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50409r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm31864">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31864"><pre><code>
261 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"261 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"
  
262 grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&amp;&amp;·\262 grep·-q·^ClientAliveInterval·/etc/ssh/sshd_config·&amp;&amp;·\
263 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config263 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config
264 if·!·[·$?·-eq·0·];·then264 if·!·[·$?·-eq·0·];·then
265 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·&gt;&gt;·/etc/ssh/sshd_config265 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·&gt;&gt;·/etc/ssh/sshd_config
266 fi266 fi
267 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm31342">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31342"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable267 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm31866">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm31866"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable
268 ··set_fact:268 ··set_fact:
269 ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>269 ····sshd_idle_timeout_value:·<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>
270 ··tags:270 ··tags:
271 ····-·always271 ····-·always
  
Max diff block lines reached; 764719/788511 bytes (96.98%) of diff not shown.
584 KB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-rht-ccp.html
    
Offset 56, 23 lines modifiedOffset 56, 135 lines modified
56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Red·Hat·Corporate·Profile·for·Certified·Cloud·Providers·(RH·CCP)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·94·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It65 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which66 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
67 ones·can·be·safely·disabled.67 ones·can·be·safely·disabled.
68 <br><br>68 <br><br>
69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional69 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up70 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services71 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·29·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons
 72 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to
 73 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost
 74 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or
 75 may·not·be·required·on·a·given·system.·Both·daemons·should·be
 76 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm30103"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd)
 77 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to
 78 schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed
 79 execution·in·a·manner·similar·to·cron,·except·that·it·is·not
 80 recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via
 81 <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time.
  
 82 ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command:
 83 ········<pre>$·sudo·chkconfig·atd·off</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry
 84 out·activities·outside·of·a·normal·login·session,·which·could·complicate
 85 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or
 86 <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 87 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 88 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50442r3_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm30121">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30121"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 89 #
 90 #·Example·Call(s):
 91 #
 92 #·····service_command·enable·bluetooth
 93 #·····service_command·disable·bluetooth.service
 94 #
 95 #·····Using·xinetd:
 96 #·····service_command·disable·rsh.socket·xinetd=rsh
 97 #
 98 function·service_command·{
  
 99 #·Load·function·arguments·into·local·variables
 100 local·service_state=$1
 101 local·service=$2
 102 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 103 #·Check·sanity·of·the·input
 104 if·[·$#·-lt·"2"·]
 105 then
 106 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 107 ··echo
 108 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 109 ··echo·"as·the·last·argument"··
 110 ··echo·"Aborting."
 111 ··exit·1
 112 fi
  
 113 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 114 if·[·-f·"/usr/bin/systemctl"·]·;·then
 115 ··service_util="/usr/bin/systemctl"
 116 else
 117 ··service_util="/sbin/service"
 118 ··chkconfig_util="/sbin/chkconfig"
 119 fi
  
 120 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 121 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 122 if·[·"$service_state"·!=·'disable'·]·;·then
 123 ··service_state="enable"
 124 ··service_operation="start"
 125 ··chkconfig_state="on"
 126 else
 127 ··service_state="disable"
 128 ··service_operation="stop"
 129 ··chkconfig_state="off"
 130 fi
  
 131 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 132 if·[·"x$chkconfig_util"·!=·x·]·;·then
 133 ··$service_util·$service·$service_operation
 134 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 135 else
 136 ··$service_util·$service_operation·$service
 137 ··$service_util·$service_state·$service
 138 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 139 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 140 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 141 ··$service_util·reset-failed·$service
 142 fi
  
 143 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 144 #·If·empty,·then·xinetd·is·not·being·used.
 145 if·[·"x$xinetd"·!=·x·]·;·then
 146 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&amp;&amp;·\
  
 147 ··if·[·"$service_operation"·=·'disable'·]·;·then
 148 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 149 ··else
 150 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 151 ··fi
 152 fi
  
 153 }
  
 154 service_command·disable·atd
 155 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm30123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm30123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd
 156 ··service:
 157 ····name="{{item}}"
 158 ····enabled="no"
 159 ····state="stopped"
 160 ··register:·service_result
 161 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 162 ··with_items:
 163 ····-·atd
 164 ··tags:
 165 ····-·service_atd_disabled
 166 ····-·unknown_severity
 167 ····-·disable_strategy
 168 ····-·low_complexity
 169 ····-·low_disruption
 170 ····-·CCE-27249-2
 171 ····-·NIST-800-53-CM-7
 172 ····-·DISA-STIG-RHEL-06-000262
Max diff block lines reached; 582581/597561 bytes (97.49%) of diff not shown.
1.33 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-server.html
    
Offset 57, 15 lines modifiedOffset 57, 15 lines modified
57 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in57 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
61 quality,·reliability,·or·any·other·characteristic.61 quality,·reliability,·or·any·other·characteristic.
62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Server·Baseline</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
63 ····························(as·of·2018-07-26)63 ····························(as·of·2018-07-26)
64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·hr[·...·truncated·by·diffoscope;·len:·550,·SHA:·748c39ab5de3bdcff786e6f881c51adf65720558ef8b4fcaee9c7b52390b8bab·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·550,·SHA:·57496307fa97d1728004b56852784b91d9d3fe09769ff2b07f1473882fcbec47·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·186·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 83, 39 lines modifiedOffset 83, 39 lines modified
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in
84 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a84 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a
85 <code>[global]</code>·configuration·section·and·a·series·of·user85 <code>[global]</code>·configuration·section·and·a·series·of·user
86 created·share·definition·sections·meant·to·describe·file·or·print86 created·share·definition·sections·meant·to·describe·file·or·print
87 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode87 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode
88 and·allow·client·systems·to·access·local·home·directories·and88 and·allow·client·systems·to·access·local·home·directories·and
89 printers.·It·is·recommended·that·these·settings·be·changed·or·that89 printers.·It·is·recommended·that·these·settings·be·changed·or·that
90 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient90 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29696"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient
91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use
92 packet·signing,·add·the·following·to·the·<code>[global]</code>·section92 packet·signing,·add·the·following·to·the·<code>[global]</code>·section
93 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:93 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:
94 <pre>client·signing·=·mandatory</pre>94 <pre>client·signing·=·mandatory</pre>
95 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet95 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet
96 signing·ensures·they·can96 signing·ensures·they·can
97 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent97 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent
98 man-in-the-middle·attacks·which·modify·SMB·packets·in98 man-in-the-middle·attacks·which·modify·SMB·packets·in
99 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 99 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
100 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 100 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
101 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><pre><code>######################################################################101 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29707">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29707"><pre><code>######################################################################
102 #By·Luke·"Brisk-OH"·Brisk102 #By·Luke·"Brisk-OH"·Brisk
103 #luke.brisk@boeing.com·or·luke.brisk@gmail.com103 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
104 ######################################################################104 ######################################################################
  
105 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)105 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
106 if·[·"$CLIENTSIGNING"·-eq·0·];··then106 if·[·"$CLIENTSIGNING"·-eq·0·];··then
107 »       #·Add·to·global·section107 »       #·Add·to·global·section
108 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf108 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
109 else109 else
110 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf110 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
111 fi111 fi
112 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists112 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29708">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29708"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists
113 ··stat:113 ··stat:
114 ····path:·/etc/samba/smb.conf114 ····path:·/etc/samba/smb.conf
115 ··register:·st_smb115 ··register:·st_smb
116 ··tags:116 ··tags:
117 ····-·require_smb_client_signing117 ····-·require_smb_client_signing
118 ····-·unknown_severity118 ····-·unknown_severity
119 ····-·configure_strategy119 ····-·configure_strategy
Offset 135, 84 lines modifiedOffset 135, 26 lines modified
135 ····-·require_smb_client_signing135 ····-·require_smb_client_signing
136 ····-·unknown_severity136 ····-·unknown_severity
137 ····-·configure_strategy137 ····-·configure_strategy
138 ····-·low_complexity138 ····-·low_complexity
139 ····-·medium_disruption139 ····-·medium_disruption
140 ····-·CCE-26328-5140 ····-·CCE-26328-5
141 ····-·DISA-STIG-RHEL-06-000272141 ····-·DISA-STIG-RHEL-06-000272
142 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs142 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29713"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs
143 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba143 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba
144 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares144 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares
145 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either145 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either
146 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.146 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.
147 <br><br>147 <br><br>
148 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba148 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba
149 client·should·only·communicate·with·servers·who·can·support·SMB149 client·should·only·communicate·with·servers·who·can·support·SMB
150 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle150 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle
151 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 151 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
152 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 152 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
153 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software153 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol
154 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. 
155 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious 
156 targets·of·network·attack. 
157 Ensure·that·systems·are·not·running·MTAs·unnecessarily, 
158 and·configure·needed·MTAs·as·defensively·as·possible. 
159 <br><br> 
160 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the 
161 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email 
162 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. 
163 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, 
164 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. 
165 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
166 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
167 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
168 <br><br> 
169 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software 
170 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. 
171 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by 
172 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. 
173 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients 
174 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only 
175 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29524"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening 
176 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following 
177 <code>inet_interfaces</code>·line·appears: 
178 <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages 
179 (such·as·cron·job·reports)·from·the·local·system·only, 
180 and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
181 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
182 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dhcp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_dhcp">DHCP 
183 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dhcp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Dynamic·Host·Configuration·Protocol·(DHCP)·allows 
184 systems·to·request·and·obtain·an·IP·address·and·other·configuration 
185 parameters·from·a·server. 
186 <br><br> 
187 This·guide·recommends·configuring·networking·on·clients·by·manually·editing 
188 the·appropriate·files·under·<code>/etc/sysconfig</code>.··Use·of·DHCP·can·make·client· 
189 systems·vulnerable·to·compromise·by·rogue·DHCP·servers,·and·should·be·avoided· 
190 unless·necessary.··If·using·DHCP·is·necessary,·however,·there·are·best·practices· 
191 that·should·be·followed·to·minimize·security·risk.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dhcp_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">Disable·DHCP·Client 
192 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dhcp_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>DHCP·is·the·default·network·configuration·method·provided·by·the·system 
193 installer,·and·common·on·many·networks.·Nevertheless,·manual·management 
194 of·IP·addresses·for·systems·implies·a·greater·degree·of·management·and 
195 accountability·for·network·activity.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg"·id="guide-tree-leaf-idm29753"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_dhcp_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">Disable·DHCP·Client 
196 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sysconfig_networking_bootproto_ifcfg">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>For·each·interface·on·the·system·(e.g.·eth0),·edit 
197 <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the 
198 following·changes: 
199 <ul><li>·Correct·the·BOOTPROTO·line·to·read: 
200 <pre>BOOTPROTO=none</pre> 
201 </li><li>·Add·or·correct·the·following·lines,·substituting·the·appropriate 
202 values·based·on·your·site's·addressing·scheme: 
203 <pre>NETMASK=255.255.255.0 
204 IPADDR=192.168.1.2 
205 GATEWAY=192.168.1.1</pre> 
Max diff block lines reached; 1363993/1390483 bytes (98.09%) of diff not shown.
1.3 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-standard.html
    
Offset 58, 15 lines modifiedOffset 58, 15 lines modified
58 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in58 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
59 this·guide·without·first·testing·them·in·a·non-operational·environment.·The59 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
60 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by60 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
61 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its61 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
62 quality,·reliability,·or·any·other·characteristic.62 quality,·reliability,·or·any·other·characteristic.
63 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>63 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>Standard·System·Security·Profile·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
64 ····························(as·of·2018-07-26)64 ····························(as·of·2018-07-26)
65 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configurati[·...·truncated·by·diffoscope;·len:·399,·SHA:·1813fbd08a6360a58cd44dfebbfd1c4e92674f9a178928b14bc1a2a28d09f72e·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services65 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li>[·...·truncated·by·diffoscope;·len:·399,·SHA:·fbfb410e2703115c5bde514edad124bef19a840feb775eacf478f7e80a5206c7·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·182·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
66 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review66 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
67 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It67 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
68 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which68 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
69 ones·can·be·safely·disabled.69 ones·can·be·safely·disabled.
70 <br><br>70 <br><br>
71 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional71 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
72 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up72 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 84, 39 lines modifiedOffset 84, 39 lines modified
84 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in84 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in
85 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a85 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a
86 <code>[global]</code>·configuration·section·and·a·series·of·user86 <code>[global]</code>·configuration·section·and·a·series·of·user
87 created·share·definition·sections·meant·to·describe·file·or·print87 created·share·definition·sections·meant·to·describe·file·or·print
88 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode88 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode
89 and·allow·client·systems·to·access·local·home·directories·and89 and·allow·client·systems·to·access·local·home·directories·and
90 printers.·It·is·recommended·that·these·settings·be·changed·or·that90 printers.·It·is·recommended·that·these·settings·be·changed·or·that
91 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient91 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29696"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient
92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use
93 packet·signing,·add·the·following·to·the·<code>[global]</code>·section93 packet·signing,·add·the·following·to·the·<code>[global]</code>·section
94 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:94 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:
95 <pre>client·signing·=·mandatory</pre>95 <pre>client·signing·=·mandatory</pre>
96 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet96 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet
97 signing·ensures·they·can97 signing·ensures·they·can
98 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent98 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent
99 man-in-the-middle·attacks·which·modify·SMB·packets·in99 man-in-the-middle·attacks·which·modify·SMB·packets·in
100 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 100 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
101 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 101 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
102 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><pre><code>######################################################################102 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29707">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29707"><pre><code>######################################################################
103 #By·Luke·"Brisk-OH"·Brisk103 #By·Luke·"Brisk-OH"·Brisk
104 #luke.brisk@boeing.com·or·luke.brisk@gmail.com104 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
105 ######################################################################105 ######################################################################
  
106 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)106 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
107 if·[·"$CLIENTSIGNING"·-eq·0·];··then107 if·[·"$CLIENTSIGNING"·-eq·0·];··then
108 »       #·Add·to·global·section108 »       #·Add·to·global·section
109 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf109 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
110 else110 else
111 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf111 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
112 fi112 fi
113 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists113 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29708">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29708"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists
114 ··stat:114 ··stat:
115 ····path:·/etc/samba/smb.conf115 ····path:·/etc/samba/smb.conf
116 ··register:·st_smb116 ··register:·st_smb
117 ··tags:117 ··tags:
118 ····-·require_smb_client_signing118 ····-·require_smb_client_signing
119 ····-·unknown_severity119 ····-·unknown_severity
120 ····-·configure_strategy120 ····-·configure_strategy
Offset 136, 55 lines modifiedOffset 136, 26 lines modified
136 ····-·require_smb_client_signing136 ····-·require_smb_client_signing
137 ····-·unknown_severity137 ····-·unknown_severity
138 ····-·configure_strategy138 ····-·configure_strategy
139 ····-·low_complexity139 ····-·low_complexity
140 ····-·medium_disruption140 ····-·medium_disruption
141 ····-·CCE-26328-5141 ····-·CCE-26328-5
142 ····-·DISA-STIG-RHEL-06-000272142 ····-·DISA-STIG-RHEL-06-000272
143 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs143 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29713"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs
144 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba144 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba
145 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares145 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares
146 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either146 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either
147 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.147 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.
148 <br><br>148 <br><br>
149 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba149 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba
150 client·should·only·communicate·with·servers·who·can·support·SMB150 client·should·only·communicate·with·servers·who·can·support·SMB
151 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle151 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle
152 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 152 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
153 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 153 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
154 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software154 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol
155 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network. 
156 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious 
157 targets·of·network·attack. 
158 Ensure·that·systems·are·not·running·MTAs·unnecessarily, 
159 and·configure·needed·MTAs·as·defensively·as·possible. 
160 <br><br> 
161 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the 
162 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email 
163 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3. 
164 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email, 
165 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator. 
166 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
167 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
168 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
169 <br><br> 
170 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software 
171 (such·as·Sendmail),·but·Postfix·is·the·default·and·is·preferred. 
172 Postfix·was·coded·with·security·in·mind·and·can·also·be·more·effectively·contained·by 
173 SELinux·as·its·modular·design·has·resulted·in·separate·processes·performing·specific·actions. 
174 More·information·is·available·on·its·website,·<a·href="http://www.postfix.org">http://www.postfix.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_postfix_client"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_postfix_client">Configure·SMTP·For·Mail·Clients 
175 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_postfix_client">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·settings·for·Postfix·in·a·submission-only 
176 e-mail·configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_postfix_client"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_mail"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled"·id="guide-tree-leaf-idm29524"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_postfix_client"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">Disable·Postfix·Network·Listening 
177 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following 
178 <code>inet_interfaces</code>·line·appears: 
179 <pre>inet_interfaces·=·localhost</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·<code>postfix</code>·accepts·mail·messages 
180 (such·as·cron·job·reports)·from·the·local·system·only, 
181 and·not·from·the·network,·which·protects·it·from·network·attack.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
182 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span>  
183 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000096</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50423r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol 
184 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system155 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system
185 clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so156 clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so
186 time·will·drift·unpredictably·on·unmanaged·systems.·Central·time157 time·will·drift·unpredictably·on·unmanaged·systems.·Central·time
187 protocols·can·be·used·both·to·ensure·that·time·is·consistent·among158 protocols·can·be·used·both·to·ensure·that·time·is·consistent·among
188 a·network·of·systems,·and·that·their·time·is·consistent·with·the159 a·network·of·systems,·and·that·their·time·is·consistent·with·the
189 outside·world.160 outside·world.
190 <br><br>161 <br><br>
Offset 203, 15 lines modifiedOffset 174, 15 lines modified
203 <br><br>174 <br><br>
204 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP175 A·typical·network·setup·involves·a·small·number·of·internal·systems·operating·as·NTP
205 servers,·and·the·remainder·obtaining·time·information·from·those176 servers,·and·the·remainder·obtaining·time·information·from·those
206 internal·servers.177 internal·servers.
207 <br><br>178 <br><br>
208 More·information·on·how·to·configure·the·NTP·server·software,179 More·information·on·how·to·configure·the·NTP·server·software,
209 including·configuration·of·cryptographic·authentication·for180 including·configuration·of·cryptographic·authentication·for
210 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29889"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon181 time·data,·is·available·at·<a·href="http://www.ntp.org">http://www.ntp.org</a>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_ntpd_enabled"·id="guide-tree-leaf-idm29837"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled">Enable·the·NTP·Daemon
211 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>182 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
212 ··········183 ··········
213 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:184 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
214 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>185 ········<pre>$·sudo·chkconfig·--level·2345·ntpd·on</pre>
215 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>186 ········</p><span·class="label·label-primary">Rationale:</span><p>Enabling·the·<code>ntpd</code>·service·ensures·that·the·<code>ntpd</code>
216 service·will·be·running·and·that·the·system·will·synchronize·its·time·to187 service·will·be·running·and·that·the·system·will·synchronize·its·time·to
217 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be188 any·servers·specified.·This·is·important·whether·the·system·is·configured·to·be
Max diff block lines reached; 1337116/1361605 bytes (98.20%) of diff not shown.
1.76 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-stig-rhel6-disa.html
    
Offset 63, 23 lines modifiedOffset 63, 50 lines modified
63 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in63 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
64 this·guide·without·first·testing·them·in·a·non-operational·environment.·The64 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
65 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by65 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
66 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its66 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
67 quality,·reliability,·or·any·other·characteristic.67 quality,·reliability,·or·any·other·characteristic.
68 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>68 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>DISA·STIG·for·Red·Hat·Enterprise·Linux·6</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_stig-rhel6-disa</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
69 ····························(as·of·2018-07-26)69 ····························(as·of·2018-07-26)
70 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·910,·SHA:·9e31603d0e18b438741d26a5b46e138f2525272b0385c20d476cc1c15adf8af1·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services70 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xc[·...·truncated·by·diffoscope;·len:·910,·SHA:·dfe52403ca27039c6fd60778f9cb46d9343b9cfec43f048aeacec9a362dd7410·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·250·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
71 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review71 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
72 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It72 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
73 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which73 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
74 ones·can·be·safely·disabled.74 ones·can·be·safely·disabled.
75 <br><br>75 <br><br>
76 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional76 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
77 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up77 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
78 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server78 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·57·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
 79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
 80 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
 81 that·passwords·and·other·data·transmitted·during·the·session·can·be
 82 captured·and·that·the·session·is·vulnerable·to·hijacking.
 83 Therefore,·running·the·FTP·server·software·is·not·recommended.
 84 <br><br>
 85 However,·there·are·some·FTP·server·configurations·which·may
 86 be·appropriate·for·some·environments,·particularly·those·which
 87 allow·only·read-only·anonymous·access·as·a·means·of·downloading
 88 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">Use·vsftpd·to·Provide·FTP·Service·if·Necessary
 89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·primary·vsftpd·configuration·file·is
 90 <code>/etc/vsftpd.conf</code>,·if·that·file·exists,·or
 91 <code>/etc/vsftpd/vsftpd.conf</code>·if·it·does·not.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_log_transactions"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_log_transactions"·id="guide-tree-leaf-idm29046"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_log_transactions">Enable·Logging·of·All·FTP·Transactions
 92 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_log_transactions">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
 93 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
 94 <pre>xferlog_enable=YES
 95 xferlog_std_format=NO
 96 log_ftp_protocol=YES</pre></p><span·class="label·label-primary">Rationale:</span><p>To·trace·malicious·activity·facilitated·by·the·FTP·service,·it·must·be·configured·to·ensure·that·all·commands·sent·to
 97 the·FTP·server·are·logged·using·the·verbose·vsftpd·log
 98 format.·The·default·vsftpd·log·file·is·<code>/var/log/vsftpd.log</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 99 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 100 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000037</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50503r1_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_ftp_present_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_ftp_present_banner"·id="guide-tree-leaf-idm29067"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp_configure_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_ftp_present_banner">Create·Warning·Banners·for·All·FTP·Users
 101 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_ftp_present_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 102 by·default.·Add·or·correct·the·following·configuration·options:
 103 <pre>banner_file=/etc/issue</pre></p><span·class="label·label-primary">Rationale:</span><p>This·setting·will·cause·the·system·greeting·banner·to·be·used·for·FTP·connections·as·well.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 104 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 105 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000023</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50400r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server
79 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows106 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows
80 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft107 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft
81 Windows·systems.·There·are·two·software·packages·that·provide108 Windows·systems.·There·are·two·software·packages·that·provide
82 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of109 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of
83 command·line·tools·that·enable·a·client·system·to·access·Samba110 command·line·tools·that·enable·a·client·system·to·access·Samba
84 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba111 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba
85 service.·It·is·this·second·package·that·allows·a·Linux·system·to112 service.·It·is·this·second·package·that·allows·a·Linux·system·to
Offset 89, 39 lines modifiedOffset 116, 39 lines modified
89 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in116 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in
90 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a117 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a
91 <code>[global]</code>·configuration·section·and·a·series·of·user118 <code>[global]</code>·configuration·section·and·a·series·of·user
92 created·share·definition·sections·meant·to·describe·file·or·print119 created·share·definition·sections·meant·to·describe·file·or·print
93 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode120 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode
94 and·allow·client·systems·to·access·local·home·directories·and121 and·allow·client·systems·to·access·local·home·directories·and
95 printers.·It·is·recommended·that·these·settings·be·changed·or·that122 printers.·It·is·recommended·that·these·settings·be·changed·or·that
96 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient123 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29696"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient
97 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use124 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use
98 packet·signing,·add·the·following·to·the·<code>[global]</code>·section125 packet·signing,·add·the·following·to·the·<code>[global]</code>·section
99 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:126 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:
100 <pre>client·signing·=·mandatory</pre>127 <pre>client·signing·=·mandatory</pre>
101 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet128 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet
102 signing·ensures·they·can129 signing·ensures·they·can
103 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent130 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent
104 man-in-the-middle·attacks·which·modify·SMB·packets·in131 man-in-the-middle·attacks·which·modify·SMB·packets·in
105 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 132 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
106 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 133 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
107 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><pre><code>######################################################################134 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29707">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29707"><pre><code>######################################################################
108 #By·Luke·"Brisk-OH"·Brisk135 #By·Luke·"Brisk-OH"·Brisk
109 #luke.brisk@boeing.com·or·luke.brisk@gmail.com136 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
110 ######################################################################137 ######################################################################
  
111 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)138 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
112 if·[·"$CLIENTSIGNING"·-eq·0·];··then139 if·[·"$CLIENTSIGNING"·-eq·0·];··then
113 »       #·Add·to·global·section140 »       #·Add·to·global·section
114 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf141 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
115 else142 else
116 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf143 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
117 fi144 fi
118 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists145 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29708">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29708"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists
119 ··stat:146 ··stat:
120 ····path:·/etc/samba/smb.conf147 ····path:·/etc/samba/smb.conf
121 ··register:·st_smb148 ··register:·st_smb
122 ··tags:149 ··tags:
123 ····-·require_smb_client_signing150 ····-·require_smb_client_signing
124 ····-·unknown_severity151 ····-·unknown_severity
125 ····-·configure_strategy152 ····-·configure_strategy
Offset 141, 71 lines modifiedOffset 168, 191 lines modified
141 ····-·require_smb_client_signing168 ····-·require_smb_client_signing
142 ····-·unknown_severity169 ····-·unknown_severity
143 ····-·configure_strategy170 ····-·configure_strategy
144 ····-·low_complexity171 ····-·low_complexity
145 ····-·medium_disruption172 ····-·medium_disruption
146 ····-·CCE-26328-5173 ····-·CCE-26328-5
147 ····-·DISA-STIG-RHEL-06-000272174 ····-·DISA-STIG-RHEL-06-000272
148 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29096"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs175 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing"·id="guide-tree-leaf-idm29713"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·mount.cifs
149 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba176 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_mount_option_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Require·packet·signing·of·clients·who·mount·Samba
150 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares177 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares
151 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either178 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either
152 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.179 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.
153 <br><br>180 <br><br>
154 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba181 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba
155 client·should·only·communicate·with·servers·who·can·support·SMB182 client·should·only·communicate·with·servers·who·can·support·SMB
156 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle183 packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent·man-in-the-middle
157 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 184 attacks·which·modify·SMB·packets·in·transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
158 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 185 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
159 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_mail"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_mail">Mail·Server·Software186 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50458r2_rule</a></p></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ntp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol
160 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_mail">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Mail·servers·are·used·to·send·and·receive·email·over·the·network.187 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ntp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·Time·Protocol·is·used·to·manage·the·system
161 Mail·is·a·very·common·service,·and·Mail·Transfer·Agents·(MTAs)·are·obvious188 clock·over·a·network.·Computer·clocks·are·not·very·accurate,·so
162 targets·of·network·attack.189 time·will·drift·unpredictably·on·unmanaged·systems.·Central·time
163 Ensure·that·systems·are·not·running·MTAs·unnecessarily,190 protocols·can·be·used·both·to·ensure·that·time·is·consistent·among
164 and·configure·needed·MTAs·as·defensively·as·possible.191 a·network·of·systems,·and·that·their·time·is·consistent·with·the
 192 outside·world.
165 <br><br>193 <br><br>
166 Very·few·systems·at·any·site·should·be·configured·to·directly·receive·email·over·the194 If·every·system·on·a·network·reliably·reports·the·same·time,·then·it·is·much
167 network.·Users·should·instead·use·mail·client·programs·to·retrieve·email195 easier·to·correlate·log·messages·in·case·of·an·attack.·In·addition,·a·number·of
168 from·a·central·server·that·supports·protocols·such·as·IMAP·or·POP3.196 cryptographic·protocols·(such·as·Kerberos)·use·timestamps·to·prevent·certain
169 However,·it·is·normal·for·most·systems·to·be·independently·capable·of·sending·email,197 types·of·attacks.·If·your·network·does·not·have·synchronized·time,·these
170 for·instance·so·that·cron·jobs·can·report·output·to·an·administrator.198 protocols·may·be·unreliable·or·even·unusable.
171 Most·MTAs,·including·Postfix,·support·a·submission-only·mode·in·which·mail·can·be·sent·from 
172 the·local·system·to·a·central·site·MTA·(or·directly·delivered·to·a·local·account), 
173 but·the·system·still·cannot·receive·mail·directly·over·a·network. 
174 <br><br>199 <br><br>
175 The·<code>alternatives</code>·program·in·Red·Hat·Enterprise·Linux·permits·selection·of·other·mail·server·software200 Depending·on·the·specifics·of·the·network,·global·time·accuracy·may·be·just·as
Max diff block lines reached; 1809627/1843908 bytes (98.14%) of diff not shown.
1.65 MB
./usr/share/doc/ssg-nondebian/ssg-sl6-guide-usgcb-rhel6-server.html
    
Offset 57, 45 lines modifiedOffset 57, 45 lines modified
57 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in57 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The58 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by59 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its60 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
61 quality,·reliability,·or·any·other·characteristic.61 quality,·reliability,·or·any·other·characteristic.
62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>62 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>United·States·Government·Configuration·Baseline·(USGCB)</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_usgcb-rhel6-server</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
63 ····························(as·of·2018-07-26)63 ····························(as·of·2018-07-26)
64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgpr[·...·truncated·by·diffoscope;·len:·1135,·SHA:·fa1f688fecfd327721db14768693baf620a8eed48e56a9c84b2b1d81c622771a·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:6</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:6::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·1135,·SHA:·21de240d343fbd223cf68c70c59d884c3ee65c2748e12911430648c71044dd8d·...·]</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·0px"><small>contains·223·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·6·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·6·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·6·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·6·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_smb"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-6"><td·style="padding-left:·19px"><small>contains·56·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_smb">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>When·properly·configured,·the·Samba·service·allows73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
74 Linux·systems·to·provide·file·and·print·sharing·to·Microsoft74 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
75 Windows·systems.·There·are·two·software·packages·that·provide75 that·passwords·and·other·data·transmitted·during·the·session·can·be
76 Samba·support.·The·first,·<code>samba-client</code>,·provides·a·series·of76 captured·and·that·the·session·is·vulnerable·to·hijacking.
77 command·line·tools·that·enable·a·client·system·to·access·Samba77 Therefore,·running·the·FTP·server·software·is·not·recommended.
78 shares.·The·second,·simply·labeled·<code>samba</code>,·provides·the·Samba78 <br><br>
79 service.·It·is·this·second·package·that·allows·a·Linux·system·to79 However,·there·are·some·FTP·server·configurations·which·may
80 act·as·an·Active·Directory·server,·a·domain·controller,·or·as·a80 be·appropriate·for·some·environments,·particularly·those·which
81 domain·member.·Only·the·<code>samba-client</code>·package·is·installed·by81 allow·only·read-only·anonymous·access·as·a·means·of·downloading
82 default.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_smb"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_samba">Disable·Samba·if·Possible82 data·available·to·the·public.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_vsftpd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_vsftpd">Disable·vsftpd·if·Possible
83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Even·after·the·Samba·server·package·has·been·installed,·it83 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_vsftpd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>To·minimize·attack·surface,·disable·vsftpd·if·at·all
84 will·remain·disabled.·Do·not·enable·this·service·unless·it·is84 possible.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ftp"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_vsftpd_disabled"·id="guide-tree-leaf-idm29100"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">Disable·vsftpd·Service
85 absolutely·necessary·to·provide·Microsoft·Windows·file·and·print85 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_vsftpd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
86 sharing·functionality.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_smb_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_smb_disabled"·id="guide-tree-leaf-idm29002"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_smb_disabled">Disable·Samba 
87 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_smb_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p> 
88 ············86 ············
89 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:87 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
90 ········<pre>$·sudo·chkconfig·smb·off</pre>88 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
91 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·a·Samba·server·provides·a·network-based·avenue·of·attack,·and89 ··········</p><span·class="label·label-primary">Rationale:</span><p>Running·FTP·server·software·provides·a·network-based·avenue
92 should·be·disabled·if·not·needed.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 90 of·attack,·and·should·be·disabled·if·not·needed.
 91 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 92 a·risk·of·compromising·sensitive·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 93 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
94 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29009">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29009"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.94 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
95 #95 #
96 #·Example·Call(s):96 #·Example·Call(s):
97 #97 #
98 #·····service_command·enable·bluetooth98 #·····service_command·enable·bluetooth
99 #·····service_command·disable·bluetooth.service99 #·····service_command·disable·bluetooth.service
100 #100 #
101 #·····Using·xinetd:101 #·····Using·xinetd:
Offset 162, 124 lines modifiedOffset 162, 123 lines modified
162 ··else162 ··else
163 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd163 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
164 ··fi164 ··fi
165 fi165 fi
  
166 }166 }
  
167 service_command·disable·smb167 service_command·disable·vsftpd
168 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29011">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29011"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·smb168 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29110">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29110"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·vsftpd
169 ··service:169 ··service:
170 ····name="{{item}}"170 ····name="{{item}}"
171 ····enabled="no"171 ····enabled="no"
172 ····state="stopped"172 ····state="stopped"
173 ··register:·service_result173 ··register:·service_result
174 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"174 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
175 ··with_items:175 ··with_items:
176 ····-·smb176 ····-·vsftpd
177 ··tags:177 ··tags:
178 ····-·service_smb_disabled178 ····-·service_vsftpd_disabled
179 ····-·unknown_severity179 ····-·unknown_severity
180 ····-·disable_strategy180 ····-·disable_strategy
181 ····-·low_complexity181 ····-·low_complexity
182 ····-·low_disruption182 ····-·low_disruption
183 ····-·CCE-27143-7183 ····-·CCE-26948-0
184 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configuring_samba"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configuring_samba">Configure·Samba·if·Necessary184 ····-·NIST-800-53-CM-7
185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configuring_samba">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>All·settings·for·the·Samba·daemon·can·be·found·in185 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_vsftpd_removed"·id="guide-tree-leaf-idm29115"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_disabling_vsftpd"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_vsftpd_removed">Uninstall·vsftpd·Package
186 <code>/etc/samba/smb.conf</code>.·Settings·are·divided·between·a186 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_vsftpd_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
187 <code>[global]</code>·configuration·section·and·a·series·of·user187 ············
188 created·share·definition·sections·meant·to·describe·file·or·print188 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
189 shares·on·the·system.·By·default,·Samba·will·operate·in·user·mode189 ········<pre>$·sudo·yum·erase·vsftpd</pre>
190 and·allow·client·systems·to·access·local·home·directories·and190 ··········</p><span·class="label·label-primary">Rationale:</span><p>Removing·the·vsftpd·package·decreases·the·risk·of·its
191 printers.·It·is·recommended·that·these·settings·be·changed·or·that191 accidental·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
192 additional·limitations·be·set·in·place.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configuring_samba"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smb"><td·style="padding-left:·57px"><small>contains·2·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_require_smb_client_signing"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_smb_client_signing"·id="guide-tree-leaf-idm29079"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configuring_samba"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_require_smb_client_signing">Require·Client·SMB·Packet·Signing,·if·using·smbclient 
193 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_require_smb_client_signing">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·require·samba·clients·running·<code>smbclient</code>·to·use 
194 packet·signing,·add·the·following·to·the·<code>[global]</code>·section 
195 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>: 
196 <pre>client·signing·=·mandatory</pre> 
197 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet 
198 signing·ensures·they·can 
199 only·communicate·with·servers·that·support·packet·signing.</p><span·class="label·label-primary">Rationale:</span><p>Packet·signing·can·prevent 
200 man-in-the-middle·attacks·which·modify·SMB·packets·in 
201 transit.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span>  
202 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 192 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
203 ············<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-999999</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-50457r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29090">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29090"><pre><code>######################################################################193 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm29123">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29123"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
204 #By·Luke·"Brisk-OH"·Brisk194 #
205 #luke.brisk@boeing.com·or·luke.brisk@gmail.com195 #·Example·Call(s):
206 ######################################################################196 #
 197 #·····package_remove·telnet-server
 198 #
 199 function·package_remove·{
  
207 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)200 #·Load·function·arguments·into·local·variables
 201 local·package="$1"
  
208 if·[·"$CLIENTSIGNING"·-eq·0·];··then202 #·Check·sanity·of·the·input
209 »       #·Add·to·global·section203 if·[·$#·-ne·"1"·]
210 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf204 then
 205 ··echo·"Usage:·package_remove·'package_name'"
 206 ··echo·"Aborting."
 207 ··exit·1
 208 fi
  
 209 if·which·dnf·;·then
 210 ··if·rpm·-q·--quiet·"$package";·then
 211 ····dnf·remove·-y·"$package"
 212 ··fi
 213 elif·which·yum·;·then
 214 ··if·rpm·-q·--quiet·"$package";·then
 215 ····yum·remove·-y·"$package"
 216 ··fi
 217 elif·which·apt-get·;·then
 218 ··apt-get·remove·-y·"$package"
211 else219 else
212 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf220 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 221 ··echo·"Aborting."
 222 ··exit·1
213 fi223 fi
214 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm29091">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm29091"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>-·name:·Check·if·/etc/samba/smb.conf·exists 
215 ··stat: 
Max diff block lines reached; 1705539/1731623 bytes (98.49%) of diff not shown.
1020 KB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-C2S.html
    
Offset 66, 15 lines modifiedOffset 66, 15 lines modified
66 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in66 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
67 this·guide·without·first·testing·them·in·a·non-operational·environment.·The67 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
68 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by68 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
69 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its69 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
70 quality,·reliability,·or·any·other·characteristic.70 quality,·reliability,·or·any·other·characteristic.
71 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>71 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·Title</th><td>C2S·for·Red·Hat·Enterprise·Linux·7</td></tr><tr><th>Profile·ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
72 ····························(as·of·2018-07-26)72 ····························(as·of·2018-07-26)
73 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a·href="#xccdf_org.ssgproject.c[·...·truncated·by·diffoscope;·len:·39,·SHA:·9fa1eff42ec8317736e4e9e4a39edaacb764d06e868832c02f95c6f4d064aaef·...·]</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"><small>contains·213·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services73 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ntp">Network·Time·Protocol</a></li><li><a·href="#xccdf_org.ssgproject.content_group_base">Base·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_proxy">Proxy·Server</a></li><li><a·href="#xccdf_[·...·truncated·by·diffoscope;·len:·39,·SHA:·71531d2cb5e45bf87276058ffe0a5eac9722a5944d366562dfd03b1cc8832d7f·...·]</a></li><li><a·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC</a></li><li><a·href="#xccdf_org.ssgproject.content_group_printing">Print·Support</a></li><li><a·href="#xccdf_org.ssgproject.content_group_avahi">Avahi·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ssh">SSH·Server</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"><small>contains·213·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
75 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It75 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It
76 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which76 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which
77 ones·can·be·safely·disabled.77 ones·can·be·safely·disabled.
78 <br><br>78 <br><br>
79 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional79 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
80 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up80 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
Offset 92, 24 lines modifiedOffset 92, 24 lines modified
92 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict92 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
93 the·service·as·much·as·possible,·for·instance·by·configuring·host93 the·service·as·much·as·possible,·for·instance·by·configuring·host
94 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the94 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
95 vulnerable·service·to·only·those·remote·hosts·which·have·a·known95 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
96 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec96 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·14·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
97 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which97 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
98 allow·cleartext·remote·access·and·have·an·insecure·trust98 allow·cleartext·remote·access·and·have·an·insecure·trust
99 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm36021"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package99 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
100 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands100 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
101 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have101 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
102 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,102 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
103 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from103 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
104 inadvertently·attempting·to·use·these·commands·and·therefore·exposing104 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
105 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes105 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
106 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 106 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
107 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 107 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
108 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36044">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36044"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.108 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
109 #109 #
110 #·Example·Call(s):110 #·Example·Call(s):
111 #111 #
112 #·····package_remove·telnet-server112 #·····package_remove·telnet-server
113 #113 #
114 function·package_remove·{114 function·package_remove·{
  
Offset 139, 62 lines modifiedOffset 139, 62 lines modified
139 ··echo·"Aborting."139 ··echo·"Aborting."
140 ··exit·1140 ··exit·1
141 fi141 fi
  
142 }142 }
  
143 package_remove·rsh143 package_remove·rsh
144 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36046">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36046"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed144 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36023">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36023"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
145 ··package:145 ··package:
146 ····name="{{item}}"146 ····name="{{item}}"
147 ····state=absent147 ····state=absent
148 ··with_items:148 ··with_items:
149 ····-·rsh149 ····-·rsh
150 ··tags:150 ··tags:
151 ····-·package_rsh_removed151 ····-·package_rsh_removed
152 ····-·unknown_severity152 ····-·unknown_severity
153 ····-·disable_strategy153 ····-·disable_strategy
154 ····-·low_complexity154 ····-·low_complexity
155 ····-·low_disruption155 ····-·low_disruption
156 ····-·CCE-27274-0156 ····-·CCE-27274-0
157 ····-·NIST-800-171-3.1.13157 ····-·NIST-800-171-3.1.13
158 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36047">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36047"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh158 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36024">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36024"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
159 class·remove_rsh·{159 class·remove_rsh·{
160 ··package·{·'rsh':160 ··package·{·'rsh':
161 ····ensure·=&gt;·'purged',161 ····ensure·=&gt;·'purged',
162 ··}162 ··}
163 }163 }
164 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36048">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36048"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>164 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36025">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36025"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
165 package·--remove=rsh165 package·--remove=rsh
166 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36053"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service166 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
167 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with167 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
168 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately168 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
169 as·a·systemd·socket,·should·be·disabled.169 as·a·systemd·socket,·should·be·disabled.
170 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.170 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
171 If·using·systemd,·171 If·using·systemd,·
172 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:172 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
173 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which173 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
174 means·that·data·from·the·login·session,·including·passwords·and174 means·that·data·from·the·login·session,·including·passwords·and
175 all·other·information·transmitted·during·the·session,·can·be175 all·other·information·transmitted·during·the·session,·can·be
176 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 176 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
177 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 177 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
178 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36077">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36077"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\178 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36054">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36054"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
179 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin179 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
180 #180 #
181 #·Disable·rlogin.socket·for·all·systemd·targets181 #·Disable·rlogin.socket·for·all·systemd·targets
182 #182 #
183 systemctl·disable·rlogin.socket183 systemctl·disable·rlogin.socket
  
184 #184 #
185 #·Stop·rlogin.socket·if·currently·running185 #·Stop·rlogin.socket·if·currently·running
186 #186 #
187 systemctl·stop·rlogin.socket187 systemctl·stop·rlogin.socket
188 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36078">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36078"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin188 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36055">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36055"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
189 ··service:189 ··service:
190 ····name="{{item}}"190 ····name="{{item}}"
191 ····enabled="no"191 ····enabled="no"
192 ····state="stopped"192 ····state="stopped"
193 ··register:·service_result193 ··register:·service_result
194 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"194 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
195 ··with_items:195 ··with_items:
Offset 207, 39 lines modifiedOffset 207, 39 lines modified
207 ····-·low_disruption207 ····-·low_disruption
208 ····-·CCE-27336-7208 ····-·CCE-27336-7
209 ····-·NIST-800-53-AC-17(8)209 ····-·NIST-800-53-AC-17(8)
210 ····-·NIST-800-53-CM-7210 ····-·NIST-800-53-CM-7
211 ····-·NIST-800-53-IA-5(1)(c)211 ····-·NIST-800-53-IA-5(1)(c)
212 ····-·NIST-800-171-3.1.13212 ····-·NIST-800-171-3.1.13
213 ····-·NIST-800-171-3.4.7213 ····-·NIST-800-171-3.4.7
214 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service214 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
215 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with215 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
216 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately216 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
217 as·a·systemd·socket,·should·be·disabled.217 as·a·systemd·socket,·should·be·disabled.
218 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·218 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
219 If·using·systemd,·219 If·using·systemd,·
220 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:220 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
221 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which221 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
222 means·that·data·from·the·login·session,·including·passwords·and222 means·that·data·from·the·login·session,·including·passwords·and
223 all·other·information·transmitted·during·the·session,·can·be223 all·other·information·transmitted·during·the·session,·can·be
224 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 224 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
225 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 225 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
226 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36107">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36107"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\226 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
227 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec227 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
228 #228 #
Max diff block lines reached; 1006940/1040005 bytes (96.82%) of diff not shown.
472 KB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-cjis.html
    
Offset 82, 26 lines modifiedOffset 82, 26 lines modified
82 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·82 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·
83 is·called·<code>sshd</code>·and·provided·by·the·RPM·package83 is·called·<code>sshd</code>·and·provided·by·the·RPM·package
84 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary84 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary
85 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then85 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
86 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration86 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
87 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be87 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
88 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more88 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
89 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39690"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords89 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·11·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords"·id="guide-tree-leaf-idm39706"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">Disable·SSH·Access·via·Empty·Passwords
90 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with90 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·explicitly·disallow·SSH·login·from·accounts·with
91 empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>:91 empty·passwords,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>:
92 <br>92 <br>
93 <pre>PermitEmptyPasswords·no</pre>93 <pre>PermitEmptyPasswords·no</pre>
94 <br>94 <br>
95 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration95 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration
96 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that96 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</p><span·class="label·label-primary">Rationale:</span><p>Configuring·this·setting·for·the·SSH·daemon·provides·additional·assurance·that
97 remote·login·via·SSH·will·require·a·password,·even·in·the·event·of·97 remote·login·via·SSH·will·require·a·password,·even·in·the·event·of·
98 misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 98 misconfiguration·elsewhere.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 99 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
100 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39715">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39715"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if100 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_AFL.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86563r2_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.9</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00229</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39731">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39731"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
101 #·it·does·not·exist.101 #·it·does·not·exist.
102 #102 #
103 #·Expects·arguments:103 #·Expects·arguments:
104 #104 #
105 #·config_file:»  »  Configuration·file·that·will·be·modified105 #·config_file:»  »  Configuration·file·that·will·be·modified
106 #·key:»  »  »  Configuration·option·to·change106 #·key:»  »  »  Configuration·option·to·change
107 #·value:»»Value·of·the·configuration·option·to·change107 #·value:»»Value·of·the·configuration·option·to·change
Offset 172, 15 lines modifiedOffset 172, 15 lines modified
172 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline172 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
173 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"173 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"
174 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"174 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"
175 ··fi175 ··fi
176 }176 }
  
177 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'177 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'
178 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39717">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39717"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Disable·SSH·Access·via·Empty·Passwords178 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39733">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39733"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Disable·SSH·Access·via·Empty·Passwords
179 ··lineinfile:179 ··lineinfile:
180 ····create:·yes180 ····create:·yes
181 ····dest:·/etc/ssh/sshd_config181 ····dest:·/etc/ssh/sshd_config
182 ····regexp:·^PermitEmptyPasswords182 ····regexp:·^PermitEmptyPasswords
183 ····line:·PermitEmptyPasswords·no183 ····line:·PermitEmptyPasswords·no
184 ····validate:·sshd·-t·-f·%s184 ····validate:·sshd·-t·-f·%s
185 ··tags:185 ··tags:
Offset 193, 21 lines modifiedOffset 193, 21 lines modified
193 ····-·NIST-800-53-AC-3193 ····-·NIST-800-53-AC-3
194 ····-·NIST-800-53-AC-6194 ····-·NIST-800-53-AC-6
195 ····-·NIST-800-53-CM-6(b)195 ····-·NIST-800-53-CM-6(b)
196 ····-·NIST-800-171-3.1.1196 ····-·NIST-800-171-3.1.1
197 ····-·NIST-800-171-3.1.5197 ····-·NIST-800-171-3.1.5
198 ····-·CJIS-5.5.6198 ····-·CJIS-5.5.6
199 ····-·DISA-STIG-RHEL-07-010300199 ····-·DISA-STIG-RHEL-07-010300
200 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm39723"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count200 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_keepalive"·id="guide-tree-leaf-idm39739"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive">Set·SSH·Client·Alive·Count
201 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,201 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_keepalive">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·ensure·the·SSH·idle·timeout·occurs·precisely·when·the·<code>ClientAliveCountMax</code>·is·set,
202 edit·<code>/etc/ssh/sshd_config</code>·as·follows:202 edit·<code>/etc/ssh/sshd_config</code>·as·follows:
203 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>203 <pre>ClientAliveCountMax·0</pre></p><span·class="label·label-primary">Rationale:</span><p>This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
204 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 204 is·reached.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
205 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 205 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
206 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39748">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39748"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if206 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86865r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39764">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39764"><pre><code>#·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
207 #·it·does·not·exist.207 #·it·does·not·exist.
208 #208 #
209 #·Expects·arguments:209 #·Expects·arguments:
210 #210 #
211 #·config_file:»  »  Configuration·file·that·will·be·modified211 #·config_file:»  »  Configuration·file·that·will·be·modified
212 #·key:»  »  »  Configuration·option·to·change212 #·key:»  »  »  Configuration·option·to·change
213 #·value:»»Value·of·the·configuration·option·to·change213 #·value:»»Value·of·the·configuration·option·to·change
Offset 278, 15 lines modifiedOffset 278, 15 lines modified
278 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline278 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
279 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"279 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"
280 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"280 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"
281 ··fi281 ··fi
282 }282 }
  
283 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'283 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
284 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39750">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39750"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·SSH·Client·Alive·Count284 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39766">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39766"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Set·SSH·Client·Alive·Count
285 ··lineinfile:285 ··lineinfile:
286 ····create:·yes286 ····create:·yes
287 ····dest:·/etc/ssh/sshd_config287 ····dest:·/etc/ssh/sshd_config
288 ····regexp:·^ClientAliveCountMax288 ····regexp:·^ClientAliveCountMax
289 ····line:·ClientAliveCountMax·0289 ····line:·ClientAliveCountMax·0
290 ····validate:·sshd·-t·-f·%s290 ····validate:·sshd·-t·-f·%s
291 ··#notify:·restart·sshd291 ··#notify:·restart·sshd
Offset 299, 25 lines modifiedOffset 299, 35 lines modified
299 ····-·CCE-27082-7299 ····-·CCE-27082-7
300 ····-·NIST-800-53-AC-2(5)300 ····-·NIST-800-53-AC-2(5)
301 ····-·NIST-800-53-SA-8301 ····-·NIST-800-53-SA-8
302 ····-·NIST-800-53-AC-12302 ····-·NIST-800-53-AC-12
303 ····-·NIST-800-171-3.1.11303 ····-·NIST-800-171-3.1.11
304 ····-·CJIS-5.5.6304 ····-·CJIS-5.5.6
305 ····-·DISA-STIG-RHEL-07-040340305 ····-·DISA-STIG-RHEL-07-040340
306 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner"·id="guide-tree-leaf-idm39794"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner">Enable·SSH·Warning·Banner306 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39772"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
307 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>To·enable·the·warning·banner·and·ensure·it·is·consistent307 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout
308 across·the·system,·add·or·correct·the·following·line·in·<code>/etc/ssh/sshd_config</code>:308 interval.
309 <pre>Banner·/etc/issue</pre>309 After·this·interval·has·passed,·the·idle·user·will·be
310 Another·section·contains·information·on·how·to·create·an310 automatically·logged·out.
311 appropriate·system-wide·warning·banner.</p><span·class="label·label-primary">Rationale:</span><p>The·warning·message·reinforces·policy·awareness·during·the·logon·process·and311 <br><br>
312 facilitates·possible·legal·action·against·attackers.·Alternatively,·systems312 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
313 whose·ownership·should·not·be·obvious·should·ensure·usage·of·a·banner·that·does313 follows:
314 not·provide·easy·attribution.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 314 <pre>ClientAliveInterval·<b>interval</b></pre>
315 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 315 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout
316 ············<a·href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86849r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.16</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000048</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000050</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001384</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001385</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001386</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001387</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001388</a>,·<a·href="https://[·...·truncated·by·diffoscope;·len:·1824,·SHA:·5bf3c613fdc351160bb491cc9ad2eeff3d033f644516571cebb8c7a28b65da15·...·]316 of·10·minutes,·set·<b>interval</b>·to·600.
 317 <br><br>
 318 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·
 319 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
 320 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of
 321 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session
 322 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
 323 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
 324 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39797">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39797"><pre><code>
 325 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">1800</abbr>"
 326 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
317 #·it·does·not·exist.327 #·it·does·not·exist.
318 #328 #
319 #·Expects·arguments:329 #·Expects·arguments:
320 #330 #
321 #·config_file:»  »  Configuration·file·that·will·be·modified331 #·config_file:»  »  Configuration·file·that·will·be·modified
322 #·key:»  »  »  Configuration·option·to·change332 #·key:»  »  »  Configuration·option·to·change
323 #·value:»»Value·of·the·configuration·option·to·change333 #·value:»»Value·of·the·configuration·option·to·change
Offset 387, 45 lines modifiedOffset 397, 54 lines modified
387 ··else397 ··else
388 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline398 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
389 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"399 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·&gt;&gt;·"$config_file"
390 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"400 ····printf·'%s\n'·"$formatted_output"·&gt;&gt;·"$config_file"
391 ··fi401 ··fi
392 }402 }
  
393 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'403 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
394 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39828">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39828"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·Enable·SSH·Warning·Banner404 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm39800">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39800"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>-·name:·XCCDF·Value·sshd_idle_timeout_value·#·promote·to·variable
 405 ··set_fact:
Max diff block lines reached; 456402/483650 bytes (94.37%) of diff not shown.
116 KB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-default.html
    
Offset 56, 27 lines modifiedOffset 56, 24 lines modified
56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in56 <p>Members·of·the·<i>Scientifc·Linux</i>·community·are·invited·to·participate·in·<a·href="http://open-scap.org">OpenSCAP</a>·and·<a·href="https://github.com/OpenSCAP/scap-security-guide">SCAP·Security·Guide</a>·development.·Bug·reports·and·patches·can·be·sent·to·GitHub:·<a·href="https://github.com/OpenSCAP/scap-security-guide">https://github.com/OpenSCAP/scap-security-guide</a>.·The·mailing·list·is·at·<a·href="https://fedorahosted.org/mailman/listinfo/scap-security-guide">https://fedorahosted.org/mailman/listinfo/scap-security-guide</a>.</p></div></div><div·class="alert·alert-info">Do·not·attempt·to·implement·any·of·the·settings·in
57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The57 this·guide·without·first·testing·them·in·a·non-operational·environment.·The
58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by58 creators·of·this·guidance·assume·no·responsibility·whatsoever·for·its·use·by
59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its59 other·parties,·and·makes·no·guarantees,·expressed·or·implied,·about·its
60 quality,·reliability,·or·any·other·characteristic.60 quality,·reliability,·or·any·other·characteristic.
61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>61 </div></div></div><table·class="table·table-bordered"><tr><th>Profile·ID</th><td><abbr·title="No·profile·was·selected.">(default)</abbr></td></tr></table></div><div·class="col-md-4"><h2>Revision·History</h2><p>Current·version:·<strong>0.1.39</strong></p><ul><li><strong>draft</strong>
62 ····························(as·of·2018-07-26)62 ····························(as·of·2018-07-26)
63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_docker">Docker·Service</a></li><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="#xcc[·...·truncated·by·diffoscope;·len:·1045,·SHA:·427d41e93b9df052bf3dd439ca5d5079efd8e47dbd3fdf0310dd320bc63cc356·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project63 ························</li></ul><h2>Platforms</h2><ul·class="list-group"><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:scientificlinux:scientificlinux:7</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::client</span></li><li·class="list-group-item"><span·class="label·label-default">cpe:/o:redhat:enterprise_linux:7::computenode</span></li></ul></div></div></div><h2>Table·of·Contents</h2><ol><li><a·href="#xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project</a></li><li><a·href="#xccdf_org.ssgproject.content_group_services">Services</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services</a></li><li><a·href="#xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_openstack">OpenStack</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ftp">FTP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_snmp">SNMP·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons</a></li><li><a·href="#xccdf_org.ssgproject.content_group_xwindows">X·Window·System</a></li><li><a·href="#xccdf_org.ssgproject.content_group_routing">Network·Routing</a></li><li><a·href="#xccdf_org.ssgproject.content_group_dns">DNS·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a·href="#xccdf_org.ssgproject.content_group_mail">Mail·Server·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB)·Microsoft·Windows·File·Sharing·Server</a></li><li><a·href="#xccdf_org.ssgproject.content_group_http">Web·Server</a></li><li><a·href="[·...·truncated·by·diffoscope;·len:·1045,·SHA:·34a457b90e6dfc8c26555d3cb2e11b5b3c1823d634243e7c52f3554b7bfc3eae·...·]</a></li></ol><li><a·href="#xccdf_org.ssgproject.content_group_system">System·Settings</a></li><ol><li><a·href="#xccdf_org.ssgproject.content_group_software">Installing·and·Maintaining·Software</a></li><li><a·href="#xccdf_org.ssgproject.content_group_logging">Configure·Syslog</a></li><li><a·href="#xccdf_org.ssgproject.content_group_network">Network·Configuration·and·Firewalls</a></li><li><a·href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li><li><a·href="#xccdf_org.ssgproject.content_group_accounts">Account·and·Access·Control</a></li><li><a·href="#xccdf_org.ssgproject.content_group_auditing">System·Accounting·with·&lt;tt&gt;auditd&lt;/tt&gt;</a></li><li><a·href="#xccdf_org.ssgproject.content_group_permissions">File·Permissions·and·Masks</a></li></ol></ol><div·id="guide-tree"><h2>Checklist</h2><table·class="treetable·table·table-bordered"><tbody><tr·data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·0px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_remediation_functions"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_remediation_functions">Remediation·functions·used·by·the·SCAP·Security·Guide·Project
64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services64 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_remediation_functions">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>XCCDF·form·of·the·various·remediation·functions·as·used·by·remediation·scripts·from·the·SCAP·Security·Guide·Project.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_remediation_functions"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><h3·id="xccdf_org.ssgproject.content_group_services">Services
65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review65 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·best·protection·against·vulnerable·software·is·running·less·software.·This·section·describes·how·to·review
66 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It66 the·software·which·Red·Hat·Enterprise·Linux·7·installs·on·a·system·and·disable·software·which·is·not·needed.·It
67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which67 then·enumerates·the·software·packages·installed·on·a·default·Red·Hat·Enterprise·Linux·7·system·and·provides·guidance·about·which
68 ones·can·be·safely·disabled.68 ones·can·be·safely·disabled.
69 <br><br>69 <br><br>
70 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional70 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
71 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up71 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service72 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services
73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are 
74 ··self-sufficient·and·self-contained·applications·using·the·resource 
75 ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_obsolete"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_obsolete">Obsolete·Services 
76 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible73 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·discusses·a·number·of·network-visible
77 services·which·have·historically·caused·problems·for·system74 services·which·have·historically·caused·problems·for·system
78 security,·and·for·which·disabling·or·severely·limiting·the·service75 security,·and·for·which·disabling·or·severely·limiting·the·service
79 has·been·the·best·available·guidance·for·some·time.·As·a·result·of76 has·been·the·best·available·guidance·for·some·time.·As·a·result·of
80 this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·777 this,·many·of·these·services·are·not·installed·as·part·of·Red·Hat·Enterprise·Linux·7
81 by·default.78 by·default.
82 <br><br>79 <br><br>
Offset 110, 15 lines modifiedOffset 107, 51 lines modified
110 found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd107 found.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_tftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_inetd_and_xinetd"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">Xinetd
111 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some108 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_inetd_and_xinetd">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·<code>xinetd</code>·service·acts·as·a·dedicated·listener·for·some
112 network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access109 network·services·(mostly,·obsolete·ones)·and·can·be·used·to·provide·access
113 controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other110 controls·and·perform·some·logging.·It·has·been·largely·obsoleted·by·other
114 features,·and·it·is·not·installed·by·default.·The·older·Inetd·service111 features,·and·it·is·not·installed·by·default.·The·older·Inetd·service
115 is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services112 is·not·even·available·as·part·of·Red·Hat·Enterprise·Linux·7.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_inetd_and_xinetd"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_talk"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_talk">Chat/Messaging·Services
116 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages113 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_talk">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·talk·software·makes·it·possible·for·users·to·send·and·receive·messages
117 across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack114 across·systems·through·a·terminal·session.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_talk"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server
 115 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not
 116 installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a>
 117 contains·more·detailed·information·about·Dovecot
 118 configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary
 119 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or
 120 POP3·server,·the·dovecot·software·should·be·configured·securely·by·following
 121 the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support
 122 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the·
 123 Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot·
 124 server·in·order·to·read·their·mail,·and·passwords·should·never·be·
 125 transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is·
 126 downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates·
 127 to·authenticate·the·server,·preventing·another·system·from·impersonating·
 128 the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server
 129 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound
 130 access·to·any·services.·This·modification·will·allow·remote·hosts·to
 131 initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports
 132 on·the·server·in·their·default·protected·state.
  
 133 ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s):
 134 ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and
 135 ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols
 136 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as·
 137 SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server·
 138 to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.·
 139 Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with·
 140 only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,·
 141 <code>pop3</code>,·<code>pop3s</code>)·required:
 142 <pre>protocols·=·PROTOCOL</pre>
 143 If·possible,·require·SSL·protection·for·all·transactions.·The·SSL·
 144 protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for·
 145 pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.·
 146 An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the·
 147 client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot
 148 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or
 149 POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_openstack"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_openstack">OpenStack
118 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server150 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_openstack">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>TODO·TODO·TODO</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_openstack"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ftp"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ftp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_ftp">FTP·Server
119 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to151 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ftp">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>FTP·is·a·common·method·for·allowing·remote·access·to
120 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means152 files.·Like·telnet,·the·FTP·protocol·is·unencrypted,·which·means
121 that·passwords·and·other·data·transmitted·during·the·session·can·be153 that·passwords·and·other·data·transmitted·during·the·session·can·be
122 captured·and·that·the·session·is·vulnerable·to·hijacking.154 captured·and·that·the·session·is·vulnerable·to·hijacking.
123 Therefore,·running·the·FTP·server·software·is·not·recommended.155 Therefore,·running·the·FTP·server·software·is·not·recommended.
124 <br><br>156 <br><br>
Offset 874, 51 lines modifiedOffset 907, 18 lines modified
874 supersede·domain-name-servers·192.168.1.2;907 supersede·domain-name-servers·192.168.1.2;
875 supersede·nis-domain·"";908 supersede·nis-domain·"";
876 supersede·nis-servers·"";909 supersede·nis-servers·"";
877 supersede·ntp-servers·"ntp.example.com·";910 supersede·ntp-servers·"ntp.example.com·";
878 supersede·routers·192.168.1.1;911 supersede·routers·192.168.1.1;
879 supersede·time-offset·-18000;912 supersede·time-offset·-18000;
880 request·subnet-mask;913 request·subnet-mask;
881 require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_imap"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_imap">IMAP·and·POP3·Server914 require·subnet-mask;</pre></p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dhcp_client_restrict_options"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_dhcp_client_configuration"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_docker"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_docker">Docker·Service
882 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_imap">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·provides·IMAP·and·POP3·services.·It·is·not915 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_docker">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·docker·service·is·necessary·to·create·containers,·which·are
883 installed·by·default.·The·project·page·at·<a·href="http://www.dovecot.org">http://www.dovecot.org</a>916 ··self-sufficient·and·self-contained·applications·using·the·resource
884 contains·more·detailed·information·about·Dovecot917 ··isolation·features·of·the·kernel.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_docker"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC
885 configuration.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_imap"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_configure_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_configure_dovecot">Configure·Dovecot·if·Necessary 
886 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_configure_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·will·operate·as·an·IMAP·or 
887 POP3·server,·the·dovecot·software·should·be·configured·securely·by·following 
888 the·recommendations·below.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">Enable·SSL·Support 
889 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>SSL·should·be·used·to·encrypt·network·traffic·between·the· 
890 Dovecot·server·and·its·clients.·Users·must·authenticate·to·the·Dovecot· 
891 server·in·order·to·read·their·mail,·and·passwords·should·never·be· 
892 transmitted·in·clear·text.·In·addition,·protecting·mail·as·it·is· 
893 downloaded·is·a·privacy·measure,·and·clients·may·use·SSL·certificates· 
894 to·authenticate·the·server,·preventing·another·system·from·impersonating· 
895 the·server.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_enabling_ssl"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">Allow·IMAP·Clients·to·Access·the·Server 
896 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·default·<code>firewalld</code>·configuration·does·not·allow·inbound 
897 access·to·any·services.·This·modification·will·allow·remote·hosts·to 
898 initiate·connections·to·the·IMAP·daemon,·while·keeping·all·other·ports 
899 on·the·server·in·their·default·protected·state. 
  
900 ········To·configure·<code>firewalld</code>·to·allow·access,·run·the·following·command(s): 
901 ········<code>firewall-cmd·--permanent·--add-port=143/tcp</code>·and 
902 ········</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_allow_imap_access"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"><h3·id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">Support·Only·the·Necessary·Protocols 
903 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>Dovecot·supports·the·IMAP·and·POP3·protocols,·as·well·as· 
904 SSL-protected·versions·of·those·protocols.·Configure·the·Dovecot·server· 
905 to·support·only·the·protocols·needed·by·your·site.·Edit·<code>/etc/dovecot/dovecot.conf</code>.· 
906 Add·or·correct·the·following·lines,·replacing·<code>PROTOCOL</code>·with· 
907 only·the·subset·of·protocols·(<code>imap</code>,·<code>imaps</code>,· 
908 <code>pop3</code>,·<code>pop3s</code>)·required: 
909 <pre>protocols·=·PROTOCOL</pre> 
910 If·possible,·require·SSL·protection·for·all·transactions.·The·SSL· 
911 protocol·variants·listen·on·alternate·ports·(995·instead·of·110·for· 
912 pop3s,·and·993·instead·of·143·for·imaps),·and·require·SSL-aware·clients.· 
913 An·alternate·approach·is·to·listen·on·the·standard·port·and·require·the· 
914 client·to·use·the·STARTTLS·command·before·authenticating.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_configure_dovecot"><td·style="padding-left:·76px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_disabling_dovecot"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_disabling_dovecot">Disable·Dovecot 
915 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_disabling_dovecot">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·does·not·need·to·operate·as·an·IMAP·or 
916 POP3·server,·the·dovecot·software·should·be·disabled·and·removed.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_disabling_dovecot"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_imap"><td·style="padding-left:·57px"></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_nfs_and_rpc"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nfs_and_rpc"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS·and·RPC 
917 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for918 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Network·File·System·is·a·popular·distributed·filesystem·for
918 the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the919 the·Unix·environment,·and·is·very·widely·deployed.··This·section·discusses·the
919 circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies,920 circumstances·under·which·it·is·possible·to·disable·NFS·and·its·dependencies,
Max diff block lines reached; 84025/118707 bytes (70.78%) of diff not shown.
843 KB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-hipaa.html
    
Offset 90, 24 lines modifiedOffset 90, 24 lines modified
90 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict90 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
91 the·service·as·much·as·possible,·for·instance·by·configuring·host91 the·service·as·much·as·possible,·for·instance·by·configuring·host
92 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the92 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
93 vulnerable·service·to·only·those·remote·hosts·which·have·a·known93 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
94 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec94 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
95 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which95 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
96 allow·cleartext·remote·access·and·have·an·insecure·trust96 allow·cleartext·remote·access·and·have·an·insecure·trust
97 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm36021"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package97 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands98 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
99 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have99 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
100 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,100 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
101 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from101 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
102 inadvertently·attempting·to·use·these·commands·and·therefore·exposing102 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
103 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes103 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
104 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 104 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
105 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 105 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
106 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36044">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36044"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.106 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
107 #107 #
108 #·Example·Call(s):108 #·Example·Call(s):
109 #109 #
110 #·····package_remove·telnet-server110 #·····package_remove·telnet-server
111 #111 #
112 function·package_remove·{112 function·package_remove·{
  
Offset 137, 62 lines modifiedOffset 137, 62 lines modified
137 ··echo·"Aborting."137 ··echo·"Aborting."
138 ··exit·1138 ··exit·1
139 fi139 fi
  
140 }140 }
  
141 package_remove·rsh141 package_remove·rsh
142 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36046">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36046"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed142 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36023">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36023"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
143 ··package:143 ··package:
144 ····name="{{item}}"144 ····name="{{item}}"
145 ····state=absent145 ····state=absent
146 ··with_items:146 ··with_items:
147 ····-·rsh147 ····-·rsh
148 ··tags:148 ··tags:
149 ····-·package_rsh_removed149 ····-·package_rsh_removed
150 ····-·unknown_severity150 ····-·unknown_severity
151 ····-·disable_strategy151 ····-·disable_strategy
152 ····-·low_complexity152 ····-·low_complexity
153 ····-·low_disruption153 ····-·low_disruption
154 ····-·CCE-27274-0154 ····-·CCE-27274-0
155 ····-·NIST-800-171-3.1.13155 ····-·NIST-800-171-3.1.13
156 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36047">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36047"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh156 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36024">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36024"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
157 class·remove_rsh·{157 class·remove_rsh·{
158 ··package·{·'rsh':158 ··package·{·'rsh':
159 ····ensure·=&gt;·'purged',159 ····ensure·=&gt;·'purged',
160 ··}160 ··}
161 }161 }
162 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36048">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36048"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>162 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36025">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36025"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
163 package·--remove=rsh163 package·--remove=rsh
164 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36053"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service164 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
165 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with165 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
166 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately166 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
167 as·a·systemd·socket,·should·be·disabled.167 as·a·systemd·socket,·should·be·disabled.
168 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.168 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
169 If·using·systemd,·169 If·using·systemd,·
170 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:170 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
171 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which171 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
172 means·that·data·from·the·login·session,·including·passwords·and172 means·that·data·from·the·login·session,·including·passwords·and
173 all·other·information·transmitted·during·the·session,·can·be173 all·other·information·transmitted·during·the·session,·can·be
174 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 174 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
175 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 175 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
176 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36077">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36077"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\176 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36054">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36054"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
177 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin177 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
178 #178 #
179 #·Disable·rlogin.socket·for·all·systemd·targets179 #·Disable·rlogin.socket·for·all·systemd·targets
180 #180 #
181 systemctl·disable·rlogin.socket181 systemctl·disable·rlogin.socket
  
182 #182 #
183 #·Stop·rlogin.socket·if·currently·running183 #·Stop·rlogin.socket·if·currently·running
184 #184 #
185 systemctl·stop·rlogin.socket185 systemctl·stop·rlogin.socket
186 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36078">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36078"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin186 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36055">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36055"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
187 ··service:187 ··service:
188 ····name="{{item}}"188 ····name="{{item}}"
189 ····enabled="no"189 ····enabled="no"
190 ····state="stopped"190 ····state="stopped"
191 ··register:·service_result191 ··register:·service_result
192 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"192 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
193 ··with_items:193 ··with_items:
Offset 205, 39 lines modifiedOffset 205, 39 lines modified
205 ····-·low_disruption205 ····-·low_disruption
206 ····-·CCE-27336-7206 ····-·CCE-27336-7
207 ····-·NIST-800-53-AC-17(8)207 ····-·NIST-800-53-AC-17(8)
208 ····-·NIST-800-53-CM-7208 ····-·NIST-800-53-CM-7
209 ····-·NIST-800-53-IA-5(1)(c)209 ····-·NIST-800-53-IA-5(1)(c)
210 ····-·NIST-800-171-3.1.13210 ····-·NIST-800-171-3.1.13
211 ····-·NIST-800-171-3.4.7211 ····-·NIST-800-171-3.4.7
212 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service212 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
213 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with213 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
214 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately214 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
215 as·a·systemd·socket,·should·be·disabled.215 as·a·systemd·socket,·should·be·disabled.
216 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·216 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
217 If·using·systemd,·217 If·using·systemd,·
218 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:218 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
219 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which219 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
220 means·that·data·from·the·login·session,·including·passwords·and220 means·that·data·from·the·login·session,·including·passwords·and
221 all·other·information·transmitted·during·the·session,·can·be221 all·other·information·transmitted·during·the·session,·can·be
222 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 222 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
223 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 223 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
224 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36107">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36107"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\224 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
225 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec225 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
226 #226 #
227 #·Disable·rexec.socket·for·all·systemd·targets227 #·Disable·rexec.socket·for·all·systemd·targets
228 #228 #
229 systemctl·disable·rexec.socket229 systemctl·disable·rexec.socket
  
230 #230 #
231 #·Stop·rexec.socket·if·currently·running231 #·Stop·rexec.socket·if·currently·running
232 #232 #
233 systemctl·stop·rexec.socket233 systemctl·stop·rexec.socket
234 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec234 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36085">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36085"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec
235 ··service:235 ··service:
236 ····name="{{item}}"236 ····name="{{item}}"
237 ····enabled="no"237 ····enabled="no"
238 ····state="stopped"238 ····state="stopped"
239 ··register:·service_result239 ··register:·service_result
240 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"240 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
241 ··with_items:241 ··with_items:
Max diff block lines reached; 838078/863207 bytes (97.09%) of diff not shown.
1.61 MB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-nist-800-171-cui.html
    
Offset 98, 24 lines modifiedOffset 98, 24 lines modified
98 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict98 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
99 the·service·as·much·as·possible,·for·instance·by·configuring·host99 the·service·as·much·as·possible,·for·instance·by·configuring·host
100 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the100 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
101 vulnerable·service·to·only·those·remote·hosts·which·have·a·known101 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
102 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec102 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
103 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which103 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
104 allow·cleartext·remote·access·and·have·an·insecure·trust104 allow·cleartext·remote·access·and·have·an·insecure·trust
105 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm36021"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package105 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
106 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands106 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
107 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have107 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
108 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,108 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
109 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from109 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
110 inadvertently·attempting·to·use·these·commands·and·therefore·exposing110 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
111 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes111 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
112 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 112 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
113 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 113 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
114 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36044">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36044"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.114 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
115 #115 #
116 #·Example·Call(s):116 #·Example·Call(s):
117 #117 #
118 #·····package_remove·telnet-server118 #·····package_remove·telnet-server
119 #119 #
120 function·package_remove·{120 function·package_remove·{
  
Offset 145, 62 lines modifiedOffset 145, 62 lines modified
145 ··echo·"Aborting."145 ··echo·"Aborting."
146 ··exit·1146 ··exit·1
147 fi147 fi
  
148 }148 }
  
149 package_remove·rsh149 package_remove·rsh
150 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36046">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36046"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed150 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36023">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36023"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
151 ··package:151 ··package:
152 ····name="{{item}}"152 ····name="{{item}}"
153 ····state=absent153 ····state=absent
154 ··with_items:154 ··with_items:
155 ····-·rsh155 ····-·rsh
156 ··tags:156 ··tags:
157 ····-·package_rsh_removed157 ····-·package_rsh_removed
158 ····-·unknown_severity158 ····-·unknown_severity
159 ····-·disable_strategy159 ····-·disable_strategy
160 ····-·low_complexity160 ····-·low_complexity
161 ····-·low_disruption161 ····-·low_disruption
162 ····-·CCE-27274-0162 ····-·CCE-27274-0
163 ····-·NIST-800-171-3.1.13163 ····-·NIST-800-171-3.1.13
164 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36047">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36047"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh164 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36024">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36024"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
165 class·remove_rsh·{165 class·remove_rsh·{
166 ··package·{·'rsh':166 ··package·{·'rsh':
167 ····ensure·=&gt;·'purged',167 ····ensure·=&gt;·'purged',
168 ··}168 ··}
169 }169 }
170 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36048">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36048"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>170 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36025">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36025"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
171 package·--remove=rsh171 package·--remove=rsh
172 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36053"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service172 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
173 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with173 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
174 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately174 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
175 as·a·systemd·socket,·should·be·disabled.175 as·a·systemd·socket,·should·be·disabled.
176 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.176 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
177 If·using·systemd,·177 If·using·systemd,·
178 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:178 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
179 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which179 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
180 means·that·data·from·the·login·session,·including·passwords·and180 means·that·data·from·the·login·session,·including·passwords·and
181 all·other·information·transmitted·during·the·session,·can·be181 all·other·information·transmitted·during·the·session,·can·be
182 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 182 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
183 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 183 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
184 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36077">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36077"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\184 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36054">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36054"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
185 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin185 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
186 #186 #
187 #·Disable·rlogin.socket·for·all·systemd·targets187 #·Disable·rlogin.socket·for·all·systemd·targets
188 #188 #
189 systemctl·disable·rlogin.socket189 systemctl·disable·rlogin.socket
  
190 #190 #
191 #·Stop·rlogin.socket·if·currently·running191 #·Stop·rlogin.socket·if·currently·running
192 #192 #
193 systemctl·stop·rlogin.socket193 systemctl·stop·rlogin.socket
194 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36078">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36078"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin194 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36055">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36055"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
195 ··service:195 ··service:
196 ····name="{{item}}"196 ····name="{{item}}"
197 ····enabled="no"197 ····enabled="no"
198 ····state="stopped"198 ····state="stopped"
199 ··register:·service_result199 ··register:·service_result
200 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"200 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
201 ··with_items:201 ··with_items:
Offset 213, 39 lines modifiedOffset 213, 39 lines modified
213 ····-·low_disruption213 ····-·low_disruption
214 ····-·CCE-27336-7214 ····-·CCE-27336-7
215 ····-·NIST-800-53-AC-17(8)215 ····-·NIST-800-53-AC-17(8)
216 ····-·NIST-800-53-CM-7216 ····-·NIST-800-53-CM-7
217 ····-·NIST-800-53-IA-5(1)(c)217 ····-·NIST-800-53-IA-5(1)(c)
218 ····-·NIST-800-171-3.1.13218 ····-·NIST-800-171-3.1.13
219 ····-·NIST-800-171-3.4.7219 ····-·NIST-800-171-3.4.7
220 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service220 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
221 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with221 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
222 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately222 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
223 as·a·systemd·socket,·should·be·disabled.223 as·a·systemd·socket,·should·be·disabled.
224 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·224 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
225 If·using·systemd,·225 If·using·systemd,·
226 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:226 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
227 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which227 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
228 means·that·data·from·the·login·session,·including·passwords·and228 means·that·data·from·the·login·session,·including·passwords·and
229 all·other·information·transmitted·during·the·session,·can·be229 all·other·information·transmitted·during·the·session,·can·be
230 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 230 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
231 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 231 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
232 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36107">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36107"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\232 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
233 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec233 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
234 #234 #
235 #·Disable·rexec.socket·for·all·systemd·targets235 #·Disable·rexec.socket·for·all·systemd·targets
236 #236 #
237 systemctl·disable·rexec.socket237 systemctl·disable·rexec.socket
  
238 #238 #
239 #·Stop·rexec.socket·if·currently·running239 #·Stop·rexec.socket·if·currently·running
240 #240 #
241 systemctl·stop·rexec.socket241 systemctl·stop·rexec.socket
242 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec242 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36085">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36085"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec
243 ··service:243 ··service:
244 ····name="{{item}}"244 ····name="{{item}}"
245 ····enabled="no"245 ····enabled="no"
246 ····state="stopped"246 ····state="stopped"
247 ··register:·service_result247 ··register:·service_result
248 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"248 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
249 ··with_items:249 ··with_items:
Max diff block lines reached; 1663737/1688866 bytes (98.51%) of diff not shown.
1.61 MB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-ospp.html
    
Offset 109, 24 lines modifiedOffset 109, 24 lines modified
109 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict109 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
110 the·service·as·much·as·possible,·for·instance·by·configuring·host110 the·service·as·much·as·possible,·for·instance·by·configuring·host
111 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the111 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
112 vulnerable·service·to·only·those·remote·hosts·which·have·a·known112 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
113 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec113 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·16·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
114 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which114 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
115 allow·cleartext·remote·access·and·have·an·insecure·trust115 allow·cleartext·remote·access·and·have·an·insecure·trust
116 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm36021"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package116 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed"·id="guide-tree-leaf-idm35998"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh_removed">Uninstall·rsh·Package
117 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands117 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh</code>·package·contains·the·client·commands
118 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have118 for·the·rsh·services</p><span·class="label·label-primary">Rationale:</span><p>These·legacy·clients·contain·numerous·security·exposures·and·have
119 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,119 been·replaced·with·the·more·secure·SSH·package.·Even·if·the·server·is·removed,
120 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from120 it·is·best·to·ensure·the·clients·are·also·removed·to·prevent·users·from
121 inadvertently·attempting·to·use·these·commands·and·therefore·exposing121 inadvertently·attempting·to·use·these·commands·and·therefore·exposing
122 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes122 their·credentials.·Note·that·removing·the·<code>rsh</code>·package·removes
123 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 123 the·clients·for·<code>rsh</code>,<code>rcp</code>,·and·<code>rlogin</code>.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
124 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 124 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
125 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36044">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36044"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.125 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.2</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36021">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36021"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
126 #126 #
127 #·Example·Call(s):127 #·Example·Call(s):
128 #128 #
129 #·····package_remove·telnet-server129 #·····package_remove·telnet-server
130 #130 #
131 function·package_remove·{131 function·package_remove·{
  
Offset 156, 62 lines modifiedOffset 156, 62 lines modified
156 ··echo·"Aborting."156 ··echo·"Aborting."
157 ··exit·1157 ··exit·1
158 fi158 fi
  
159 }159 }
  
160 package_remove·rsh160 package_remove·rsh
161 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36046">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36046"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed161 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36023">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36023"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh·is·removed
162 ··package:162 ··package:
163 ····name="{{item}}"163 ····name="{{item}}"
164 ····state=absent164 ····state=absent
165 ··with_items:165 ··with_items:
166 ····-·rsh166 ····-·rsh
167 ··tags:167 ··tags:
168 ····-·package_rsh_removed168 ····-·package_rsh_removed
169 ····-·unknown_severity169 ····-·unknown_severity
170 ····-·disable_strategy170 ····-·disable_strategy
171 ····-·low_complexity171 ····-·low_complexity
172 ····-·low_disruption172 ····-·low_disruption
173 ····-·CCE-27274-0173 ····-·CCE-27274-0
174 ····-·NIST-800-171-3.1.13174 ····-·NIST-800-171-3.1.13
175 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36047">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36047"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh175 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36024">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36024"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh
  
176 class·remove_rsh·{176 class·remove_rsh·{
177 ··package·{·'rsh':177 ··package·{·'rsh':
178 ····ensure·=&gt;·'purged',178 ····ensure·=&gt;·'purged',
179 ··}179 ··}
180 }180 }
181 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36048">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36048"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>181 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36025">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36025"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
182 package·--remove=rsh182 package·--remove=rsh
183 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36053"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service183 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rlogin_disabled"·id="guide-tree-leaf-idm36030"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rlogin_disabled">Disable·rlogin·Service
184 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with184 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rlogin_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rlogin</code>·service,·which·is·available·with
185 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately185 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
186 as·a·systemd·socket,·should·be·disabled.186 as·a·systemd·socket,·should·be·disabled.
187 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.187 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rlogin</code>.
188 If·using·systemd,·188 If·using·systemd,·
189 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:189 ········The·<code>rlogin</code>·socket·can·be·disabled·with·the·following·command:
190 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which190 ········<pre>$·sudo·systemctl·disable·rlogin.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rlogin·service·uses·unencrypted·network·communications,·which
191 means·that·data·from·the·login·session,·including·passwords·and191 means·that·data·from·the·login·session,·including·passwords·and
192 all·other·information·transmitted·during·the·session,·can·be192 all·other·information·transmitted·during·the·session,·can·be
193 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 193 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
194 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 194 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
195 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36077">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36077"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\195 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36054">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36054"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rlogin·&amp;&amp;·\
196 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin196 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rlogin
  
197 #197 #
198 #·Disable·rlogin.socket·for·all·systemd·targets198 #·Disable·rlogin.socket·for·all·systemd·targets
199 #199 #
200 systemctl·disable·rlogin.socket200 systemctl·disable·rlogin.socket
  
201 #201 #
202 #·Stop·rlogin.socket·if·currently·running202 #·Stop·rlogin.socket·if·currently·running
203 #203 #
204 systemctl·stop·rlogin.socket204 systemctl·stop·rlogin.socket
205 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36078">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36078"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin205 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36055">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36055"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rlogin
206 ··service:206 ··service:
207 ····name="{{item}}"207 ····name="{{item}}"
208 ····enabled="no"208 ····enabled="no"
209 ····state="stopped"209 ····state="stopped"
210 ··register:·service_result210 ··register:·service_result
211 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"211 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
212 ··with_items:212 ··with_items:
Offset 224, 39 lines modifiedOffset 224, 39 lines modified
224 ····-·low_disruption224 ····-·low_disruption
225 ····-·CCE-27336-7225 ····-·CCE-27336-7
226 ····-·NIST-800-53-AC-17(8)226 ····-·NIST-800-53-AC-17(8)
227 ····-·NIST-800-53-CM-7227 ····-·NIST-800-53-CM-7
228 ····-·NIST-800-53-IA-5(1)(c)228 ····-·NIST-800-53-IA-5(1)(c)
229 ····-·NIST-800-171-3.1.13229 ····-·NIST-800-171-3.1.13
230 ····-·NIST-800-171-3.4.7230 ····-·NIST-800-171-3.4.7
231 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36083"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service231 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rexec_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rexec_disabled"·id="guide-tree-leaf-idm36060"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_rexec_disabled">Disable·rexec·Service
232 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with232 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rexec_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rexec</code>·service,·which·is·available·with
233 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately233 the·<code>rsh-server</code>·package·and·runs·as·a·service·through·xinetd·or·separately
234 as·a·systemd·socket,·should·be·disabled.234 as·a·systemd·socket,·should·be·disabled.
235 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·235 If·using·xinetd,·set·<code>disable</code>·to·<code>yes</code>·in·<code>/etc/xinetd.d/rexec</code>.·
236 If·using·systemd,·236 If·using·systemd,·
237 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:237 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
238 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which238 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·rexec·service·uses·unencrypted·network·communications,·which
239 means·that·data·from·the·login·session,·including·passwords·and239 means·that·data·from·the·login·session,·including·passwords·and
240 all·other·information·transmitted·during·the·session,·can·be240 all·other·information·transmitted·during·the·session,·can·be
241 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 241 stolen·by·eavesdroppers·on·the·network.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
242 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 242 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
243 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36107">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36107"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\243 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.17</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000068</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001436</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36084">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36084"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/rexec·&amp;&amp;·\
244 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec244 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/rexec
  
245 #245 #
246 #·Disable·rexec.socket·for·all·systemd·targets246 #·Disable·rexec.socket·for·all·systemd·targets
247 #247 #
248 systemctl·disable·rexec.socket248 systemctl·disable·rexec.socket
  
249 #249 #
250 #·Stop·rexec.socket·if·currently·running250 #·Stop·rexec.socket·if·currently·running
251 #251 #
252 systemctl·stop·rexec.socket252 systemctl·stop·rexec.socket
253 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36108">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36108"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec253 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36085">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36085"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rexec
254 ··service:254 ··service:
255 ····name="{{item}}"255 ····name="{{item}}"
256 ····enabled="no"256 ····enabled="no"
257 ····state="stopped"257 ····state="stopped"
258 ··register:·service_result258 ··register:·service_result
259 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"259 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
260 ··with_items:260 ··with_items:
Max diff block lines reached; 1663739/1688870 bytes (98.51%) of diff not shown.
371 KB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-pci-dss.html
    
Offset 116, 15 lines modifiedOffset 116, 15 lines modified
116 <br><br>116 <br><br>
117 Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code>117 Refer·to·<a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>·for·more·detailed·comparison·of·features·of·<code>chronyd</code>
118 and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to118 and·<code>ntpd</code>·daemon·features·respectively,·and·for·further·guidance·how·to
119 choose·between·the·two·NTP·daemons.119 choose·between·the·two·NTP·daemons.
120 <br><br>120 <br><br>
121 The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for121 The·upstream·manual·pages·at·<a·href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</a>·for
122 <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional122 <code>chronyd</code>·and·<a·href="http://www.ntp.org">http://www.ntp.org</a>·for·<code>ntpd</code>·provide·additional
123 information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38416"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers123 information·on·the·capabilities·and·configuration·of·each·of·the·NTP·daemons.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ntp"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers"·id="guide-tree-leaf-idm38489"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">Specify·Additional·Remote·NTP·Servers
124 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete124 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete
125 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be125 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be
126 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the126 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the
127 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to127 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to
128 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>128 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>
129 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for129 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for
130 further·guidance·how·to·choose·between·the·two·NTP·daemons.130 further·guidance·how·to·choose·between·the·two·NTP·daemons.
Offset 137, 15 lines modifiedOffset 137, 15 lines modified
137 Add·additional·lines·of·the·following·form,·substituting·the·IP·address·or137 Add·additional·lines·of·the·following·form,·substituting·the·IP·address·or
138 hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:138 hostname·of·a·remote·NTP·server·for·<em>ntpserver</em>:
139 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of139 <pre>server·<i>ntpserver</i></pre></p><span·class="label·label-primary">Rationale:</span><p>Specifying·additional·NTP·servers·increases·the·availability·of
140 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes140 accurate·time·data,·in·the·event·that·one·of·the·specified·servers·becomes
141 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for141 unavailable.·This·is·typical·for·a·system·acting·as·an·NTP·server·for
142 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 142 other·systems.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
143 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 143 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
144 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38436">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38436"><pre><code>144 ············<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38509">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38509"><pre><code>
145 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"145 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"
  
146 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.146 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.
147 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries147 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries
148 #·$1:·Path·to·the·config·file148 #·$1:·Path·to·the·config·file
149 #·$2:·Comma-separated·list·of·servers149 #·$2:·Comma-separated·list·of·servers
150 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{150 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{
Offset 164, 15 lines modifiedOffset 164, 15 lines modified
  
164 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file164 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file
  
165 config_file="/etc/ntp.conf"165 config_file="/etc/ntp.conf"
166 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"166 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"
  
167 [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"167 [·"$(grep·-c·'^server'·"$config_file")"·-gt·1·]·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"
168 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38441"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server168 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server"·id="guide-tree-leaf-idm38514"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">Specify·a·Remote·NTP·Server
169 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete169 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>Depending·on·specific·functional·requirements·of·a·concrete
170 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be170 production·environment,·the·Red·Hat·Enterprise·Linux·7·Server·system·can·be
171 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the171 configured·to·utilize·the·services·of·the·<code>chronyd</code>·NTP·daemon·(the
172 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to172 default),·or·services·of·the·<code>ntpd</code>·NTP·daemon.·Refer·to
173 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>173 <a·href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/ch-Configuring_NTP_Using_the_chrony_Suite.html</a>
174 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for174 for·more·detailed·comparison·of·the·features·of·both·of·the·choices,·and·for
175 further·guidance·how·to·choose·between·the·two·NTP·daemons.175 further·guidance·how·to·choose·between·the·two·NTP·daemons.
Offset 184, 15 lines modifiedOffset 184, 15 lines modified
184 Add·or·correct·the·following·lines,·substituting·the·IP·or·hostname·of·a·remote184 Add·or·correct·the·following·lines,·substituting·the·IP·or·hostname·of·a·remote
185 NTP·server·for·<em>ntpserver</em>:185 NTP·server·for·<em>ntpserver</em>:
186 <pre>server·<i>ntpserver</i></pre>186 <pre>server·<i>ntpserver</i></pre>
187 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time187 This·instructs·the·NTP·software·to·contact·that·remote·server·to·obtain·time
188 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system188 data.</p><span·class="label·label-primary">Rationale:</span><p>Synchronizing·with·an·NTP·server·makes·it·possible·to·collate·system
189 logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 189 logs·from·multiple·sources·or·correlate·computer·events·with·real·time·events.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
190 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 190 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
191 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38465">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38465"><pre><code>191 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">3.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.1</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38538">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38538"><pre><code>
192 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"192 var_multiple_time_servers="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_var_multiple_time_servers">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</abbr>"
  
193 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.193 #·Invoke·the·function·without·args,·so·its·body·is·substituded·right·here.
194 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries194 #·Function·ensures·that·the·ntp/chrony·config·file·contains·valid·server·entries
195 #·$1:·Path·to·the·config·file195 #·$1:·Path·to·the·config·file
196 #·$2:·Comma-separated·list·of·servers196 #·$2:·Comma-separated·list·of·servers
197 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{197 function·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·{
Offset 211, 15 lines modifiedOffset 211, 15 lines modified
  
211 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file211 rhel7_ensure_there_are_servers_in_ntp_compatible_config_file
  
212 config_file="/etc/ntp.conf"212 config_file="/etc/ntp.conf"
213 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"213 /usr/sbin/pidof·ntpd·||·config_file="/etc/chrony.conf"
  
214 grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"214 grep·-q·^server·"$config_file"·||·rhel7_ensure_there_are_servers_in_ntp_compatible_config_file·"$config_file"·"$var_multiple_time_servers"
215 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38472"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">Enable·the·NTP·Daemon215 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled"·id="guide-tree-leaf-idm38545"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">Enable·the·NTP·Daemon
216 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>216 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>
217 ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command:217 ········The·<code>chronyd</code>·service·can·be·enabled·with·the·following·command:
218 ········<pre>$·sudo·systemctl·enable·chronyd.service</pre>218 ········<pre>$·sudo·systemctl·enable·chronyd.service</pre>
219 Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default.219 Note:·The·<code>chronyd</code>·daemon·is·enabled·by·default.
220 <br><br>220 <br><br>
  
221 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:221 ········The·<code>ntpd</code>·service·can·be·enabled·with·the·following·command:
Offset 237, 15 lines modifiedOffset 237, 15 lines modified
237 maintaining·accurate·logs·and·auditing·possible·security·breaches.237 maintaining·accurate·logs·and·auditing·possible·security·breaches.
238 <br><br>238 <br><br>
239 The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the239 The·<code>chronyd</code>·and·<code>ntpd</code>·NTP·daemons·offer·all·of·the
240 functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional240 functionality·of·<code>ntpdate</code>,·which·is·now·deprecated.·Additional
241 information·on·this·is·available·at241 information·on·this·is·available·at
242 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 242 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a></p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
243 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 243 ························medium</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
244 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38500">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38500"><pre><code>244 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.1.1</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000160</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-10.4</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38573">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38573"><pre><code>
  
245 if·!·`rpm·-q·--quiet·chrony`·&amp;&amp;·!·`rpm·-q·--quiet·ntp-`;·then245 if·!·`rpm·-q·--quiet·chrony`·&amp;&amp;·!·`rpm·-q·--quiet·ntp-`;·then
246 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.246 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
247 #247 #
248 #·Example·Call(s):248 #·Example·Call(s):
249 #249 #
250 #·····package_install·aide250 #·····package_install·aide
Offset 450, 15 lines modifiedOffset 450, 15 lines modified
450 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·450 <a·href="http://www.openssh.org">http://www.openssh.org</a>.·Its·server·program·
451 is·called·<code>sshd</code>·and·provided·by·the·RPM·package451 is·called·<code>sshd</code>·and·provided·by·the·RPM·package
452 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary452 <code>openssh-server</code>.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_ssh_server"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_ssh_server">Configure·OpenSSH·Server·if·Necessary
453 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then453 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_ssh_server">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>If·the·system·needs·to·act·as·an·SSH·server,·then
454 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration454 certain·changes·should·be·made·to·the·OpenSSH·daemon·configuration
455 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be455 file·<code>/etc/ssh/sshd_config</code>.·The·following·recommendations·can·be
456 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more456 applied·to·this·file.·See·the·<code>sshd_config(5)</code>·man·page·for·more
457 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39992"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval457 detailed·information.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_ssh_server"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"·id="guide-tree-leaf-idm39772"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ssh_server"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">Set·SSH·Idle·Timeout·Interval
458 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout458 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>SSH·allows·administrators·to·set·an·idle·timeout
459 interval.459 interval.
460 After·this·interval·has·passed,·the·idle·user·will·be460 After·this·interval·has·passed,·the·idle·user·will·be
461 automatically·logged·out.461 automatically·logged·out.
462 <br><br>462 <br><br>
463 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as463 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
464 follows:464 follows:
Offset 468, 15 lines modifiedOffset 468, 15 lines modified
468 <br><br>468 <br><br>
469 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·469 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·
470 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH470 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
471 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of471 from·correctly·detecting·that·the·user·is·idle.</p><span·class="label·label-primary">Rationale:</span><p>Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of
472 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session472 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session
473 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 473 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
474 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 474 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
475 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm40017">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm40017"><pre><code>475 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86861r3_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">5.2.12</a>,·<a·href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-001133</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-002361</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-8(i)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</a>,·<a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf">Req-8.1.8</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000163-GPOS-00072</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000279-GPOS-00109</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm39797">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm39797"><pre><code>
476 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"476 sshd_idle_timeout_value="<abbr·title="from·Profile/refine-value:·xccdf_org.ssgproject.content_value_sshd_idle_timeout_value">900</abbr>"
477 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if477 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
478 #·it·does·not·exist.478 #·it·does·not·exist.
479 #479 #
480 #·Expects·arguments:480 #·Expects·arguments:
481 #481 #
482 #·config_file:»  »  Configuration·file·that·will·be·modified482 #·config_file:»  »  Configuration·file·that·will·be·modified
Max diff block lines reached; 358165/379597 bytes (94.35%) of diff not shown.
154 KB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-rht-ccp.html
    
Offset 83, 23 lines modifiedOffset 83, 23 lines modified
83 the·service·as·much·as·possible,·for·instance·by·configuring·host83 the·service·as·much·as·possible,·for·instance·by·configuring·host
84 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the84 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
85 vulnerable·service·to·only·those·remote·hosts·which·have·a·known85 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
86 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet86 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet
87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity87 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity
88 for·information·transmitted·on·the·network.·This·includes·authentication88 for·information·transmitted·on·the·network.·This·includes·authentication
89 information·such·as·passwords.·Organizations·which·use·telnet·should·be89 information·such·as·passwords.·Organizations·which·use·telnet·should·be
90 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36233"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet_removed">Remove·telnet·Clients90 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed"·id="guide-tree-leaf-idm36210"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet_removed">Remove·telnet·Clients
91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other·91 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·telnet·client·allows·users·to·start·connections·to·other·
92 systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use92 systems·via·the·telnet·protocol.</p><span·class="label·label-primary">Rationale:</span><p>The·<code>telnet</code>·protocol·is·insecure·and·unencrypted.·The·use
93 of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user93 of·an·unencrypted·transmission·medium·could·allow·an·unauthorized·user
94 to·steal·credentials.·The·<code>ssh</code>·package·provides·an94 to·steal·credentials.·The·<code>ssh</code>·package·provides·an
95 encrypted·session·and·stronger·security·and·is·included·in·Red·Hat95 encrypted·session·and·stronger·security·and·is·included·in·Red·Hat
96 Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 96 Enterprise·Linux.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
97 ························low</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 97 ························low</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
98 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36253">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36253"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.98 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.3.4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36230">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36230"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
99 #99 #
100 #·Example·Call(s):100 #·Example·Call(s):
101 #101 #
102 #·····package_remove·telnet-server102 #·····package_remove·telnet-server
103 #103 #
104 function·package_remove·{104 function·package_remove·{
  
Offset 129, 38 lines modifiedOffset 129, 38 lines modified
129 ··echo·"Aborting."129 ··echo·"Aborting."
130 ··exit·1130 ··exit·1
131 fi131 fi
  
132 }132 }
  
133 package_remove·telnet133 package_remove·telnet
134 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36255">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36255"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnet·is·removed134 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36232">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36232"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·telnet·is·removed
135 ··package:135 ··package:
136 ····name="{{item}}"136 ····name="{{item}}"
137 ····state=absent137 ····state=absent
138 ··with_items:138 ··with_items:
139 ····-·telnet139 ····-·telnet
140 ··tags:140 ··tags:
141 ····-·package_telnet_removed141 ····-·package_telnet_removed
142 ····-·low_severity142 ····-·low_severity
143 ····-·disable_strategy143 ····-·disable_strategy
144 ····-·low_complexity144 ····-·low_complexity
145 ····-·low_disruption145 ····-·low_disruption
146 ····-·CCE-27305-2146 ····-·CCE-27305-2
147 ····-·NIST-800-171-3.1.13147 ····-·NIST-800-171-3.1.13
148 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36256">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36256"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnet148 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36233">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36233"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_telnet
  
149 class·remove_telnet·{149 class·remove_telnet·{
150 ··package·{·'telnet':150 ··package·{·'telnet':
151 ····ensure·=&gt;·'purged',151 ····ensure·=&gt;·'purged',
152 ··}152 ··}
153 }153 }
154 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36257">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36257"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>154 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36234">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36234"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
155 package·--remove=telnet155 package·--remove=telnet
156 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm36262"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_telnet_disabled">Disable·telnet·Service156 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_telnet_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_telnet_disabled"·id="guide-tree-leaf-idm36239"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_service_telnet_disabled">Disable·telnet·Service
157 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code>157 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_telnet_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet</code>·service·configuration·file·<code>/etc/xinetd.d/telnet</code>
158 is·not·created·automatically.·If·it·was·created·manually,·check·the158 is·not·created·automatically.·If·it·was·created·manually,·check·the
159 <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code>159 <code>/etc/xinetd.d/telnet</code>·file·and·ensure·that·<code>disable·=·no</code>
160 is·changed·to·read·<code>disable·=·yes</code>·as·follows·below:160 is·changed·to·read·<code>disable·=·yes</code>·as·follows·below:
161 <pre>161 <pre>
162 #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\162 #·description:·The·telnet·server·serves·telnet·sessions;·it·uses·\\
163 #·······unencrypted·username/password·pairs·for·authentication.163 #·······unencrypted·username/password·pairs·for·authentication.
Offset 183, 27 lines modifiedOffset 183, 27 lines modified
183 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:183 ········The·<code>rexec</code>·socket·can·be·disabled·with·the·following·command:
184 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which184 ········<pre>$·sudo·systemctl·disable·rexec.socket</pre></p><span·class="label·label-primary">Rationale:</span><p>The·telnet·protocol·uses·unencrypted·network·communication,·which
185 means·that·data·from·the·login·session,·including·passwords·and185 means·that·data·from·the·login·session,·including·passwords·and
186 all·other·information·transmitted·during·the·session,·can·be186 all·other·information·transmitted·during·the·session,·can·be
187 stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also187 stolen·by·eavesdroppers·on·the·network.·The·telnet·protocol·is·also
188 subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 188 subject·to·man-in-the-middle·attacks.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
189 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 189 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
190 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36288">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36288"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/telnet·&amp;&amp;·\190 ············<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.2.18</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36265">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36265"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>grep·-qi·disable·/etc/xinetd.d/telnet·&amp;&amp;·\
191 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet191 ··sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/telnet
  
192 #192 #
193 #·Disable·telnet.socket·for·all·systemd·targets193 #·Disable·telnet.socket·for·all·systemd·targets
194 #194 #
195 systemctl·disable·telnet.socket195 systemctl·disable·telnet.socket
  
196 #196 #
197 #·Stop·telnet.socket·if·currently·running197 #·Stop·telnet.socket·if·currently·running
198 #198 #
199 systemctl·stop·telnet.socket199 systemctl·stop·telnet.socket
200 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36289">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36289"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·telnet200 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36266">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36266"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·telnet
201 ··service:201 ··service:
202 ····name="{{item}}"202 ····name="{{item}}"
203 ····enabled="no"203 ····enabled="no"
204 ····state="stopped"204 ····state="stopped"
205 ··register:·service_result205 ··register:·service_result
206 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"206 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
207 ··with_items:207 ··with_items:
Offset 216, 29 lines modifiedOffset 216, 29 lines modified
216 ····-·low_disruption216 ····-·low_disruption
217 ····-·CCE-27401-9217 ····-·CCE-27401-9
218 ····-·NIST-800-53-AC-17(8)218 ····-·NIST-800-53-AC-17(8)
219 ····-·NIST-800-53-CM-7219 ····-·NIST-800-53-CM-7
220 ····-·NIST-800-53-IA-5(1)(c)220 ····-·NIST-800-53-IA-5(1)(c)
221 ····-·NIST-800-171-3.1.13221 ····-·NIST-800-171-3.1.13
222 ····-·NIST-800-171-3.4.7222 ····-·NIST-800-171-3.4.7
223 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36294"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package223 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36271"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package
224 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with224 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with
225 the·following·command:225 the·following·command:
226 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding226 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding
227 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore227 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore
228 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.228 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.
229 <br>229 <br>
230 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·230 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·
231 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were231 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were
232 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.232 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.
233 <br>233 <br>
234 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·234 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·
235 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 235 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
236 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 236 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
237 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36321">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36321"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.237 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36298">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36298"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
238 #238 #
239 #·Example·Call(s):239 #·Example·Call(s):
240 #240 #
241 #·····package_remove·telnet-server241 #·····package_remove·telnet-server
242 #242 #
243 function·package_remove·{243 function·package_remove·{
  
Offset 268, 15 lines modifiedOffset 268, 15 lines modified
268 ··echo·"Aborting."268 ··echo·"Aborting."
269 ··exit·1269 ··exit·1
270 fi270 fi
  
271 }271 }
  
Max diff block lines reached; 132658/157561 bytes (84.19%) of diff not shown.
327 KB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-standard.html
    
Offset 71, 28 lines modifiedOffset 71, 28 lines modified
71 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional71 Red·Hat·Enterprise·Linux·7·provides·a·convenient·minimal·install·option·that·essentially·installs·the·bare·necessities·for·a·functional
72 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up72 system.·When·building·Red·Hat·Enterprise·Linux·7·systems,·it·is·highly·recommended·to·select·the·minimal·packages·and·then·build·up
73 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons73 the·system·from·there.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td·style="padding-left:·19px"><small>contains·6·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_cron_and_at"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_cron_and_at">Cron·and·At·Daemons
74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to74 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_cron_and_at">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·cron·and·at·services·are·used·to·allow·commands·to
75 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost75 be·executed·at·a·later·time.·The·cron·service·is·required·by·almost
76 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or76 all·systems·to·perform·necessary·maintenance·tasks,·while·at·may·or
77 may·not·be·required·on·a·given·system.·Both·daemons·should·be77 may·not·be·required·on·a·given·system.·Both·daemons·should·be
78 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm36920"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd)78 configured·defensively.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_cron_and_at"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_atd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_atd_disabled"·id="guide-tree-leaf-idm36993"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_atd_disabled">Disable·At·Service·(atd)
79 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to79 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_atd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>at</code>·and·<code>batch</code>·commands·can·be·used·to
80 schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed80 schedule·tasks·that·are·meant·to·be·executed·only·once.·This·allows·delayed
81 execution·in·a·manner·similar·to·cron,·except·that·it·is·not81 execution·in·a·manner·similar·to·cron,·except·that·it·is·not
82 recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via82 recurring.·The·daemon·<code>atd</code>·keeps·track·of·tasks·scheduled·via
83 <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time.83 <code>at</code>·and·<code>batch</code>,·and·executes·them·at·the·specified·time.
  
84 ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command:84 ········The·<code>atd</code>·service·can·be·disabled·with·the·following·command:
85 ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry85 ········<pre>$·sudo·systemctl·disable·atd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>atd</code>·service·could·be·used·by·an·unsophisticated·insider·to·carry
86 out·activities·outside·of·a·normal·login·session,·which·could·complicate86 out·activities·outside·of·a·normal·login·session,·which·could·complicate
87 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or87 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or
88 <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 88 <code>batch</code>·is·not·common.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
89 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 89 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
90 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36936">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36936"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.90 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm37009">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37009"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
91 #91 #
92 #·Example·Call(s):92 #·Example·Call(s):
93 #93 #
94 #·····service_command·enable·bluetooth94 #·····service_command·enable·bluetooth
95 #·····service_command·disable·bluetooth.service95 #·····service_command·disable·bluetooth.service
96 #96 #
97 #·····Using·xinetd:97 #·····Using·xinetd:
Offset 160, 15 lines modifiedOffset 160, 15 lines modified
160 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd160 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
161 ··fi161 ··fi
162 fi162 fi
  
163 }163 }
  
164 service_command·disable·atd164 service_command·disable·atd
165 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36938">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36938"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd165 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm37011">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm37011"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·atd
166 ··service:166 ··service:
167 ····name="{{item}}"167 ····name="{{item}}"
168 ····enabled="no"168 ····enabled="no"
169 ····state="stopped"169 ····state="stopped"
170 ··register:·service_result170 ··register:·service_result
171 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"171 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
172 ··with_items:172 ··with_items:
Offset 183, 27 lines modifiedOffset 183, 27 lines modified
183 ····-·NIST-800-53-CM-7183 ····-·NIST-800-53-CM-7
184 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services184 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_base"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><h3·id="xccdf_org.ssgproject.content_group_base">Base·Services
185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a185 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_base">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>This·section·addresses·the·base·services·that·are·installed·on·a
186 Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other186 Red·Hat·Enterprise·Linux·7·default·installation·which·are·not·covered·in·other
187 sections.·Some·of·these·services·listen·on·the·network·and187 sections.·Some·of·these·services·listen·on·the·network·and
188 should·be·treated·with·particular·discretion.·Other·services·are·local188 should·be·treated·with·particular·discretion.·Other·services·are·local
189 system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services189 system·utilities·that·may·or·may·not·be·extraneous.·In·general,·system·services
190 should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38582"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled">Disable·Network·Router·Discovery·Daemon·(rdisc)190 should·be·disabled·if·not·required.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_base"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·5·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rdisc_disabled"·id="guide-tree-leaf-idm38655"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_rdisc_disabled">Disable·Network·Router·Discovery·Daemon·(rdisc)
191 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP191 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_rdisc_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rdisc</code>·service·implements·the·client·side·of·the·ICMP
192 Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on192 Internet·Router·Discovery·Protocol·(IRDP),·which·allows·discovery·of·routers·on
193 the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is193 the·local·subnet.·If·a·router·is·discovered·then·the·local·routing·table·is
194 updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled.194 updated·with·a·corresponding·default·route.·By·default·this·daemon·is·disabled.
  
195 ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command:195 ········The·<code>rdisc</code>·service·can·be·disabled·with·the·following·command:
196 ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing196 ········<pre>$·sudo·systemctl·disable·rdisc.service</pre></p><span·class="label·label-primary">Rationale:</span><p>General-purpose·systems·typically·have·their·network·and·routing
197 information·configured·statically·by·a·system·administrator.·Workstations·or197 information·configured·statically·by·a·system·administrator.·Workstations·or
198 some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve198 some·special-purpose·systems·often·use·DHCP·(instead·of·IRDP)·to·retrieve
199 dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 199 dynamic·network·configuration·information.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
200 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 200 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
201 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38593">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38593"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.201 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000382</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38666">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38666"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
202 #202 #
203 #·Example·Call(s):203 #·Example·Call(s):
204 #204 #
205 #·····service_command·enable·bluetooth205 #·····service_command·enable·bluetooth
206 #·····service_command·disable·bluetooth.service206 #·····service_command·disable·bluetooth.service
207 #207 #
208 #·····Using·xinetd:208 #·····Using·xinetd:
Offset 271, 15 lines modifiedOffset 271, 15 lines modified
271 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd271 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
272 ··fi272 ··fi
273 fi273 fi
  
274 }274 }
  
275 service_command·disable·rdisc275 service_command·disable·rdisc
276 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38595">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38595"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rdisc276 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38668">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38668"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·rdisc
277 ··service:277 ··service:
278 ····name="{{item}}"278 ····name="{{item}}"
279 ····enabled="no"279 ····enabled="no"
280 ····state="stopped"280 ····state="stopped"
281 ··register:·service_result281 ··register:·service_result
282 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"282 ··failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
283 ··with_items:283 ··with_items:
Offset 290, 27 lines modifiedOffset 290, 27 lines modified
290 ····-·disable_strategy290 ····-·disable_strategy
291 ····-·low_complexity291 ····-·low_complexity
292 ····-·low_disruption292 ····-·low_disruption
293 ····-·CCE-80268-6293 ····-·CCE-80268-6
294 ····-·NIST-800-53-AC-17(8)294 ····-·NIST-800-53-AC-17(8)
295 ····-·NIST-800-53-AC-4295 ····-·NIST-800-53-AC-4
296 ····-·NIST-800-53-CM-7296 ····-·NIST-800-53-CM-7
297 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38715"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">Disable·Odd·Job·Daemon·(oddjobd)297 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_oddjobd_disabled"·id="guide-tree-leaf-idm38788"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_base"><td·style="padding-left:·57px"><h4·id="xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">Disable·Odd·Job·Daemon·(oddjobd)
298 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and298 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_service_oddjobd_disabled">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>oddjobd</code>·service·exists·to·provide·an·interface·and
299 access·control·mechanism·through·which299 access·control·mechanism·through·which
300 specified·privileged·tasks·can·run·tasks·for·unprivileged·client300 specified·privileged·tasks·can·run·tasks·for·unprivileged·client
301 applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus.301 applications.·Communication·with·<code>oddjobd</code>·through·the·system·message·bus.
  
302 ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command:302 ········The·<code>oddjobd</code>·service·can·be·disabled·with·the·following·command:
303 ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in303 ········<pre>$·sudo·systemctl·disable·oddjobd.service</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>oddjobd</code>·service·may·provide·necessary·functionality·in
304 some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of304 some·environments,·and·can·be·disabled·if·it·is·not·needed.·Execution·of
305 tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally305 tasks·by·privileged·programs,·on·behalf·of·unprivileged·ones,·has·traditionally
306 been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 306 been·a·source·of·privilege·escalation·security·issues.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
307 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 307 ························unknown</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
308 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38726">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38726"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.308 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm38799">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38799"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
309 #309 #
310 #·Example·Call(s):310 #·Example·Call(s):
311 #311 #
312 #·····service_command·enable·bluetooth312 #·····service_command·enable·bluetooth
313 #·····service_command·disable·bluetooth.service313 #·····service_command·disable·bluetooth.service
314 #314 #
315 #·····Using·xinetd:315 #·····Using·xinetd:
Offset 378, 15 lines modifiedOffset 378, 15 lines modified
378 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd378 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
379 ··fi379 ··fi
380 fi380 fi
  
381 }381 }
  
382 service_command·disable·oddjobd382 service_command·disable·oddjobd
383 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38728">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38728"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·oddjobd383 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm38801">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm38801"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Disable·service·oddjobd
384 ··service:384 ··service:
385 ····name="{{item}}"385 ····name="{{item}}"
Max diff block lines reached; 316204/334498 bytes (94.53%) of diff not shown.
932 KB
./usr/share/doc/ssg-nondebian/ssg-sl7-guide-stig-rhel7-disa.html
    
Offset 92, 65 lines modifiedOffset 92, 65 lines modified
92 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict92 these·services·for·legacy·reasons,·care·should·be·taken·to·restrict
93 the·service·as·much·as·possible,·for·instance·by·configuring·host93 the·service·as·much·as·possible,·for·instance·by·configuring·host
94 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the94 firewall·software·such·as·<code>firewalld</code>·to·restrict·access·to·the
95 vulnerable·service·to·only·those·remote·hosts·which·have·a·known95 vulnerable·service·to·only·those·remote·hosts·which·have·a·known
96 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec96 need·to·use·it.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td·style="padding-left:·38px"><small>contains·7·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_r_services"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_r_services">Rlogin,·Rsh,·and·Rexec
97 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which97 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·Berkeley·r-commands·are·legacy·services·which
98 allow·cleartext·remote·access·and·have·an·insecure·trust98 allow·cleartext·remote·access·and·have·an·insecure·trust
99 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36113"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files99 model.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_r_services"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·3·rules</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_host_based_files"·id="guide-tree-leaf-idm36090"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_host_based_files">Remove·Host-Based·Authentication·Files
100 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts100 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>shosts.equiv</code>·file·list·remote·hosts
101 and·users·that·are·trusted·by·the·local·system.101 and·users·that·are·trusted·by·the·local·system.
102 To·remove·these·files,·run·the·following·command·to·delete·them·from·any102 To·remove·these·files,·run·the·following·command·to·delete·them·from·any
103 location:103 location:
104 <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the104 <pre>$·sudo·rm·/[path]/[to]/[file]/shosts.equiv</pre></p><span·class="label·label-primary">Rationale:</span><p>The·shosts.equiv·files·are·used·to·configure·host-based·authentication·for·the
105 system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing105 system·via·SSH.·Host-based·authentication·is·not·sufficient·for·preventing
106 unauthorized·access·to·the·system,·as·it·does·not·require·interactive106 unauthorized·access·to·the·system,·as·it·does·not·require·interactive
107 identification·and·authentication·of·a·connection·request,·or·for·the·use·of107 identification·and·authentication·of·a·connection·request,·or·for·the·use·of
108 two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 108 two-factor·authentication.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
109 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 109 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
110 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36122">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36122"><pre><code>110 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86903r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36099">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36099"><pre><code>
111 #·Identify·local·mounts111 #·Identify·local·mounts
112 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·112 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·
  
113 #·Find·file·on·each·listed·mount·point113 #·Find·file·on·each·listed·mount·point
114 for·cur_mount·in·${MOUNT_LIST}114 for·cur_mount·in·${MOUNT_LIST}
115 do115 do
116 »       find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\;116 »       find·${cur_mount}·-xdev·-type·f·-name·"shosts.equiv"·-exec·rm·-f·{}·\;
117 done117 done
118 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36158"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files118 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_no_user_host_based_files"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_user_host_based_files"·id="guide-tree-leaf-idm36135"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_no_user_host_based_files">Remove·User·Host-Based·Authentication·Files
119 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files119 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_no_user_host_based_files">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>~/.shosts</code>·(in·each·user's·home·directory)·files
120 list·remote·hosts·and·users·that·are·trusted·by·the120 list·remote·hosts·and·users·that·are·trusted·by·the
121 local·system.·To·remove·these·files,·run·the·following·command121 local·system.·To·remove·these·files,·run·the·following·command
122 to·delete·them·from·any·location:122 to·delete·them·from·any·location:
123 <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for123 <pre>$·sudo·rm·~/.shosts</pre></p><span·class="label·label-primary">Rationale:</span><p>The·.shosts·files·are·used·to·configure·host-based·authentication·for
124 individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not124 individual·users·or·the·system·via·SSH.·Host-based·authentication·is·not
125 sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not125 sufficient·for·preventing·unauthorized·access·to·the·system,·as·it·does·not
126 require·interactive·identification·and·authentication·of·a·connection·request,126 require·interactive·identification·and·authentication·of·a·connection·request,
127 or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 127 or·for·the·use·of·two-factor·authentication.false</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 128 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
129 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36167">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36167"><pre><code>129 ············<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000366</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000480-GPOS-00227</a>,·<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86901r1_rule</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36144">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36144"><pre><code>
130 #·Identify·local·mounts130 #·Identify·local·mounts
131 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·131 MOUNT_LIST=$(df·|·grep·"^/dev"·|·awk·'{·print·$6·}')·
  
132 #·Find·file·on·each·listed·mount·point132 #·Find·file·on·each·listed·mount·point
133 for·cur_mount·in·${MOUNT_LIST}133 for·cur_mount·in·${MOUNT_LIST}
134 do134 do
135 »       find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\;135 »       find·${cur_mount}·-xdev·-type·f·-name·".shosts"·-exec·rm·-f·{}·\;
136 done136 done
137 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36172"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package137 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh-server_removed"·id="guide-tree-leaf-idm36149"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_rsh-server_removed">Uninstall·rsh-server·Package
138 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with138 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_rsh-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>rsh-server</code>·package·can·be·uninstalled·with
139 the·following·command:139 the·following·command:
140 <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not140 <pre>$·sudo·yum·erase·rsh-server</pre></p><span·class="label·label-primary">Rationale:</span><p>The·<code>rsh-server</code>·service·provides·unencrypted·remote·access·service·which·does·not
141 provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak141 provide·for·the·confidentiality·and·integrity·of·user·passwords·or·the·remote·session·and·has·very·weak
142 authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password142 authentication.·If·a·privileged·user·were·to·login·using·this·service,·the·privileged·user·password
143 could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure143 could·be·compromised.·The·<code>rsh-server</code>·package·provides·several·obsolete·and·insecure
144 network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional)144 network·services.·Removing·it·decreases·the·risk·of·those·services'·accidental·(or·intentional)
145 activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 145 activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
146 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 146 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
147 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36197">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36197"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.147 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86591r1_rule</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36174">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36174"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
148 #148 #
149 #·Example·Call(s):149 #·Example·Call(s):
150 #150 #
151 #·····package_remove·telnet-server151 #·····package_remove·telnet-server
152 #152 #
153 function·package_remove·{153 function·package_remove·{
  
Offset 180, 15 lines modifiedOffset 180, 15 lines modified
180 ··echo·"Aborting."180 ··echo·"Aborting."
181 ··exit·1181 ··exit·1
182 fi182 fi
  
183 }183 }
  
184 package_remove·rsh-server184 package_remove·rsh-server
185 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36199">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36199"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh-server·is·removed185 </code></pre></div><span·class="label·label-success">Remediation·Ansible·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36176">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36176"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>-·name:·Ensure·rsh-server·is·removed
186 ··package:186 ··package:
187 ····name="{{item}}"187 ····name="{{item}}"
188 ····state=absent188 ····state=absent
189 ··with_items:189 ··with_items:
190 ····-·rsh-server190 ····-·rsh-server
191 ··tags:191 ··tags:
192 ····-·package_rsh-server_removed192 ····-·package_rsh-server_removed
Offset 196, 42 lines modifiedOffset 196, 42 lines modified
196 ····-·disable_strategy196 ····-·disable_strategy
197 ····-·low_complexity197 ····-·low_complexity
198 ····-·low_disruption198 ····-·low_disruption
199 ····-·CCE-27342-5199 ····-·CCE-27342-5
200 ····-·NIST-800-53-AC-17(8)200 ····-·NIST-800-53-AC-17(8)
201 ····-·NIST-800-53-CM-7(a)201 ····-·NIST-800-53-CM-7(a)
202 ····-·DISA-STIG-RHEL-07-020000202 ····-·DISA-STIG-RHEL-07-020000
203 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36200">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36200"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh-server203 </code></pre></div><span·class="label·label-success">Remediation·Puppet·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36177">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36177"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include·remove_rsh-server
  
204 class·remove_rsh-server·{204 class·remove_rsh-server·{
205 ··package·{·'rsh-server':205 ··package·{·'rsh-server':
206 ····ensure·=&gt;·'purged',206 ····ensure·=&gt;·'purged',
207 ··}207 ··}
208 }208 }
209 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36201">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36201"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>209 </code></pre></div><span·class="label·label-success">Remediation·Anaconda·snippet:</span>   <a·data-toggle="collapse"·data-target="#idm36178">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36178"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
210 package·--remove=rsh-server210 package·--remove=rsh-server
211 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet211 </code></pre></div></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_group_telnet"·class="guide-tree-inner-node·guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><h3·id="xccdf_org.ssgproject.content_group_telnet">Telnet
212 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity212 ························  <a·class="small"·href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a><span·class="label·label-default·pull-right">group</span></h3><p>The·telnet·protocol·does·not·provide·confidentiality·or·integrity
213 for·information·transmitted·on·the·network.·This·includes·authentication213 for·information·transmitted·on·the·network.·This·includes·authentication
214 information·such·as·passwords.·Organizations·which·use·telnet·should·be214 information·such·as·passwords.·Organizations·which·use·telnet·should·be
215 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36294"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package215 actively·working·to·migrate·to·a·more·secure·protocol.</p></td></tr><tr·data-tt-id="children-xccdf_org.ssgproject.content_group_telnet"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td·style="padding-left:·57px"><small>contains·1·rule</small></td></tr><tr·data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·class="guide-tree-leaf·guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet-server_removed"·id="guide-tree-leaf-idm36271"·data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td·style="padding-left:·76px"><h4·id="xccdf_org.ssgproject.content_rule_package_telnet-server_removed">Uninstall·telnet-server·Package
216 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with216 ····················  <a·class="small"·href="#xccdf_org.ssgproject.content_rule_package_telnet-server_removed">[ref]</a><span·class="label·label-default·pull-right">rule</span></h4><p>The·<code>telnet-server</code>·package·can·be·uninstalled·with
217 the·following·command:217 the·following·command:
218 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding218 <pre>$·sudo·yum·erase·telnet-server</pre></p><span·class="label·label-primary">Rationale:</span><p>It·is·detrimental·for·operating·systems·to·provide,·or·install·by·default,·functionality·exceeding
219 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore219 requirements·or·mission·objectives.·These·unnecessary·capabilities·are·often·overlooked·and·therefore
220 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.220 may·remain·unsecure.·They·increase·the·risk·to·the·platform·by·providing·additional·attack·vectors.
221 <br>221 <br>
222 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·222 The·telnet·service·provides·an·unencrypted·remote·access·service·which·does·not·provide·for·the·
223 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were223 confidentiality·and·integrity·of·user·passwords·or·the·remote·session.·If·a·privileged·user·were
224 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.224 to·login·using·this·service,·the·privileged·user·password·could·be·compromised.
225 <br>225 <br>
226 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·226 Removing·the·<code>telnet-server</code>·package·decreases·the·risk·of·the·telnet·service's·accidental·
227 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 227 (or·intentional)·activation.</p><div·class="severity"><p><span·class="label·label-warning">Severity:</span> 
228 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 228 ························high</p></div><div·class="identifiers"><p><span·class="label·label-default"·title="Provide·a·reference·to·a·document·or·resource·where·the·user·can·learn·more·about·the·subject·of·the·Rule·or·Group.">References:</span> 
229 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36321">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36321"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.229 ············<a·href="http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx">SV-86701r1_rule</a>,·<a·href="https://benchmarks.cisecurity.org/tools2/linux/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf">2.1.1</a>,·<a·href="http://iase.disa.mil/stigs/cci/Pages/index.aspx">CCI-000381</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>,·<a·href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>,·<a·href="https://www.iso.org/standard/54534.html">A.8.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.1.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.1</a>,·<a·href="https://www.iso.org/standard/54534.html">A.13.2.3</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.2</a>,·<a·href="https://www.iso.org/standard/54534.html">A.14.1.3</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(8)</a>,·<a·href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</a>,·<a·href="http://iase.disa.mil/stigs/os/general/Pages/index.aspx">SRG-OS-000095-GPOS-00049</a></p></div><span·class="label·label-success">Remediation·Shell·script:</span>   <a·data-toggle="collapse"·data-target="#idm36298">(show)</a><br></br><div·class="panel-collapse·collapse"·id="idm36298"><table·class="table·table-striped·table-bordered·table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>#·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
230 #230 #
231 #·Example·Call(s):231 #·Example·Call(s):
232 #232 #
233 #·····package_remove·telnet-server233 #·····package_remove·telnet-server
234 #234 #
235 function·package_remove·{235 function·package_remove·{
  
Offset 261, 15 lines modifiedOffset 261, 15 lines modified
261 ··echo·"Aborting."261 ··echo·"Aborting."
262 ··exit·1262 ··exit·1
Max diff block lines reached; 928191/953987 bytes (97.30%) of diff not shown.
222 KB
./usr/share/doc/ssg-nondebian/table-rhel6-cces.html
Ordering differences only
    
Offset 37, 73 lines modifiedOffset 37, 111 lines modified
37 <table>37 <table>
38 <thead>38 <thead>
39 <td>CCE·ID</td>39 <td>CCE·ID</td>
40 <td>Rule·Title</td>40 <td>Rule·Title</td>
41 <td>Description</td>41 <td>Description</td>
42 </thead>42 </thead>
43 <tr>43 <tr>
44 <td>CCE-27143-7</td>44 <td>CCE-27115-5</td>
45 <td>Disable·Samba</td>45 <td>Restrict·Access·to·Anonymous·Users·if·Possible</td>
46 <td·xml:lang="en-US">46 <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than
47 ············47 using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option:
48 ········The·<code>smb</code>·service·can·be·disabled·with·the·following·command:48 <pre>local_enable=NO</pre>
49 ········<pre>$·sudo·chkconfig·smb·off</pre>49 If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure
50 ··········</td>50 these·logins·as·much·as·possible.</td>
51 </tr>51 </tr>
52 <tr>52 <tr>
53 <td>CCE-27102-3</td>53 <td></td>
54 <td>Uninstall·samba·Package</td>54 <td>Limit·Users·Allowed·FTP·Access·if·Necessary</td>
55 <td·xml:lang="en-US">55 <td·xml:lang="en-US">If·there·is·a·mission-critical·reason·for·users·to·access·their·accounts·via·the·insecure·FTP·protocol,·limit·the·set·of·users·who·are·allowed·this·access.·Edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·options:
56 ············56 <pre>userlist_enable=YES
57 ········The·<code>samba</code>·package·can·be·removed·with·the·following·command:57 userlist_file=/etc/vsftp.ftpusers
58 ········<pre>$·sudo·yum·erase·samba</pre>58 userlist_deny=NO</pre>
59 ··········</td>59 Edit·the·file·<code>/etc/vsftp.ftpusers</code>.·For·each·user·USERNAME·who·should·be·allowed·to·access·the·system·via·FTP,·add·a·line·containing·that·user's·name:
 60 <pre>USERNAME</pre>
 61 If·anonymous·access·is·also·required,·add·the·anonymous·usernames·to·<code>/etc/vsftp.ftpusers</code>·as·well.
 62 <pre>anonymous
 63 ftp</pre>
 64 </td>
60 </tr>65 </tr>
61 <tr>66 <tr>
62 <td>CCE-RHEL6-CCE-TBD</td>67 <td></td>
63 <td>Install·the·Samba·Common·Package</td>68 <td>Configure·Firewalls·to·Protect·the·FTP·Server</td>
64 <td·xml:lang="en-US">The·<code>samba-common</code>·package·should·be·installed.69 <td·xml:lang="en-US">By·default,·<code>iptables</code>
 70 blocks·access·to·the·ports·used·by·the·web·server.
  
65 ········The·<code>samba-common</code>·package·can·be·installed·with·the·following·command:71 ········To·configure·<code>iptables</code>·to·allow·port
66 ········<pre>$·sudo·yum·install·samba-common</pre>72 ········21·traffic·one·must·edit
 73 ········<code>/etc/sysconfig/iptables</code>·and
 74 ········<code>/etc/sysconfig/ip6tables</code>·(if·IPv6·is·in·use).
 75 ········Add·the·following·line,·ensuring·that·it·appears·before·the·final·LOG
 76 ········and·DROP·lines·for·the·INPUT·chain:
 77 ········<pre·xml:space="preserve">-A·INPUT·-m·state·--state·NEW·-p·tcp·--dport·21·-j·ACCEPT</pre>
 78 Edit·the·file·<code>/etc/sysconfig/iptables-config</code>.·Ensure·that·the·space-separated·list·of·modules·contains
 79 the·FTP·connection·tracking·module:
 80 <pre>IPTABLES_MODULES="ip_conntrack_ftp"</pre>
67 </td>81 </td>
68 </tr>82 </tr>
69 <tr>83 <tr>
70 <td>CCE-27533-9</td>84 <td>CCE-27411-8</td>
71 <td>Disable·Root·Access·to·SMB·Shares</td>85 <td>Place·the·FTP·Home·Directory·on·its·Own·Partition</td>
72 <td·xml:lang="en-US">Administrators·should·not·use·administrator·accounts·to·access86 <td·xml:lang="en-US">By·default,·the·anonymous·FTP·root·is·the·home·directory·of·the·FTP·user·account.·The·df·command·can
73 Samba·file·and·printer·shares.·Disable·the·root·user·and·the·wheel87 be·used·to·verify·that·this·directory·is·on·its·own·partition.</td>
74 administrator·group: 
75 <pre>[<i>share</i>] 
76 ··invalid·users·=·root·@wheel</pre> 
77 If·administrator·accounts·cannot·be·disabled,·ensure·that·local·system 
78 passwords·and·Samba·service·passwords·do·not·match.</td> 
79 </tr>88 </tr>
80 <tr>89 <tr>
81 <td>CCE-26328-5</td>90 <td>CCE-27142-9</td>
82 <td>Require·Client·SMB·Packet·Signing,·if·using·smbclient</td>91 <td>Enable·Logging·of·All·FTP·Transactions</td>
83 <td·xml:lang="en-US">To·require·samba·clients·running·<code>smbclient</code>·to·use92 <td·xml:lang="en-US">Add·or·correct·the·following·configuration·options·within·the·<code>vsftpd</code>
84 packet·signing,·add·the·following·to·the·<code>[global]</code>·section93 configuration·file,·located·at·<code>/etc/vsftpd/vsftpd.conf</code>:
85 of·the·Samba·configuration·file,·<code>/etc/samba/smb.conf</code>:94 <pre>xferlog_enable=YES
86 <pre>client·signing·=·mandatory</pre>95 xferlog_std_format=NO
87 Requiring·samba·clients·such·as·<code>smbclient</code>·to·use·packet96 log_ftp_protocol=YES</pre>
88 signing·ensures·they·can97 </td>
89 only·communicate·with·servers·that·support·packet·signing.</td> 
90 </tr>98 </tr>
91 <tr>99 <tr>
92 <td>CCE-26792-2</td>100 <td>CCE-27117-1</td>
93 <td>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</td>101 <td>Disable·FTP·Uploads·if·Possible</td>
94 <td·xml:lang="en-US">Require·packet·signing·of·clients·who·mount·Samba102 <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·upload·files·via·FTP?·If·not,
95 shares·using·the·<code>mount.cifs</code>·program·(e.g.,·those·who·specify·shares103 edit·the·vsftpd·configuration·file·to·add·or·correct·the·following·configuration·options:
96 in·<code>/etc/fstab</code>).·To·do·so,·ensure·signing·options·(either104 <pre>write_enable=NO</pre>
97 <code>sec=krb5i</code>·or·<code>sec=ntlmv2i</code>)·are·used.105 If·FTP·uploads·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure·these·transactions
98 <br><br>106 as·much·as·possible.</td>
99 See·the·<code>mount.cifs(8)</code>·man·page·for·more·information.·A·Samba107 </tr>
100 client·should·only·communicate·with·servers·who·can·support·SMB108 <tr>
101 packet·signing.</td>109 <td>CCE-27145-2</td>
 110 <td>Create·Warning·Banners·for·All·FTP·Users</td>
 111 <td·xml:lang="en-US">Edit·the·vsftpd·configuration·file,·which·resides·at·<code>/etc/vsftpd/vsftpd.conf</code>
 112 by·default.·Add·or·correct·the·following·configuration·options:
 113 <pre>banner_file=/etc/issue</pre>
 114 </td>
 115 </tr>
 116 <tr>
 117 <td>CCE-27187-4</td>
 118 <td>Install·vsftpd·Package</td>
 119 <td·xml:lang="en-US">If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels.
 120 <pre>$·sudo·yum·install·vsftpd</pre>
 121 </td>
 122 </tr>
 123 <tr>
 124 <td>CCE-26948-0</td>
 125 <td>Disable·vsftpd·Service</td>
 126 <td·xml:lang="en-US">
 127 ············
 128 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
 129 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
 130 ··········</td>
 131 </tr>
 132 <tr>
 133 <td>CCE-26687-4</td>
 134 <td>Uninstall·vsftpd·Package</td>
 135 <td·xml:lang="en-US">
 136 ············
 137 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
 138 ········<pre>$·sudo·yum·erase·vsftpd</pre>
 139 ··········</td>
102 </tr>140 </tr>
103 <tr>141 <tr>
104 <td>CCE-27075-1</td>142 <td>CCE-27075-1</td>
105 <td>Disable·httpd·Service</td>143 <td>Disable·httpd·Service</td>
106 <td·xml:lang="en-US">144 <td·xml:lang="en-US">
107 ············145 ············
108 ········The·<code>httpd</code>·service·can·be·disabled·with·the·following·command:146 ········The·<code>httpd</code>·service·can·be·disabled·with·the·following·command:
Offset 237, 69 lines modifiedOffset 275, 57 lines modified
237 <td·xml:lang="en-US">The·<code>ldap</code>·module·provides·HTTP·authentication·via·an·LDAP·directory.275 <td·xml:lang="en-US">The·<code>ldap</code>·module·provides·HTTP·authentication·via·an·LDAP·directory.
238 If·its·functionality·is·unnecessary,·comment·out·the·related·modules:276 If·its·functionality·is·unnecessary,·comment·out·the·related·modules:
239 <pre>#LoadModule·ldap_module·modules/mod_ldap.so277 <pre>#LoadModule·ldap_module·modules/mod_ldap.so
240 #LoadModule·authnz_ldap_module·modules/mod_authnz_ldap.so</pre>278 #LoadModule·authnz_ldap_module·modules/mod_authnz_ldap.so</pre>
241 If·LDAP·is·to·be·used,·SSL·encryption·should·be·used·as·well.</td>279 If·LDAP·is·to·be·used,·SSL·encryption·should·be·used·as·well.</td>
242 </tr>280 </tr>
243 <tr>281 <tr>
244 <td>CCE-27541-2</td>282 <td>CCE-27362-3</td>
245 <td>Disable·MIME·Magic</td>283 <td>Disable·CGI·Support</td>
Max diff block lines reached; 219003/226906 bytes (96.52%) of diff not shown.
472 KB
./usr/share/doc/ssg-nondebian/table-rhel6-nistrefs.html
Ordering differences only
    
Offset 42, 14 lines modifiedOffset 42, 72 lines modified
42 <td>Rule·Title</td>42 <td>Rule·Title</td>
43 <td>Description</td>43 <td>Description</td>
44 <td>Rationale</td>44 <td>Rationale</td>
45 <td>Variable·Setting</td>45 <td>Variable·Setting</td>
46 </thead>46 </thead>
47 <tr>47 <tr>
48 <td>CM-7</td>48 <td>CM-7</td>
 49 <td>Restrict·Access·to·Anonymous·Users·if·Possible</td>
 50 <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than
 51 using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option:
 52 <pre>local_enable=NO</pre>
 53 If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure
 54 these·logins·as·much·as·possible.</td>
 55 <td·xml:lang="en-US">The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</td>
 56 <td></td>
 57 </tr>
 58 <tr>
 59 <td>AC-3</td>
 60 <td>Restrict·Access·to·Anonymous·Users·if·Possible</td>
 61 <td·xml:lang="en-US">Is·there·a·mission-critical·reason·for·users·to·transfer·files·to/from·their·own·accounts·using·FTP,·rather·than
 62 using·a·secure·protocol·like·SCP/SFTP?·If·not,·edit·the·vsftpd·configuration·file.·Add·or·correct·the·following·configuration·option:
 63 <pre>local_enable=NO</pre>
 64 If·non-anonymous·FTP·logins·are·necessary,·follow·the·guidance·in·the·remainder·of·this·section·to·secure
 65 these·logins·as·much·as·possible.</td>
 66 <td·xml:lang="en-US">The·use·of·non-anonymous·FTP·logins·is·strongly·discouraged.·Since·SSH·clients·and·servers·are·widely·available,·and·since·SSH·provides·support·for·a·transfer·mode·which·resembles·FTP·in·user·interface,·there·is·no·good·reason·to·allow·password-based·FTP·access.</td>
 67 <td></td>
 68 </tr>
 69 <tr>
 70 <td>CM-7</td>
 71 <td>Install·vsftpd·Package</td>
 72 <td·xml:lang="en-US">If·this·system·must·operate·as·an·FTP·server,·install·the·<code>vsftpd</code>·package·via·the·standard·channels.
 73 <pre>$·sudo·yum·install·vsftpd</pre>
 74 </td>
 75 <td·xml:lang="en-US">After·Red·Hat·Enterprise·Linux·2.1,·Red·Hat·switched·from·distributing·wu-ftpd·with·Red·Hat·Enterprise·Linux·to·distributing·vsftpd.·For·security
 76 and·for·consistency·with·future·Red·Hat·releases,·the·use·of·vsftpd·is·recommended.</td>
 77 <td></td>
 78 </tr>
 79 <tr>
 80 <td>CM-7</td>
 81 <td>Disable·vsftpd·Service</td>
 82 <td·xml:lang="en-US">
 83 ············
 84 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
 85 ········<pre>$·sudo·chkconfig·vsftpd·off</pre>
 86 ··········</td>
 87 <td·xml:lang="en-US">Running·FTP·server·software·provides·a·network-based·avenue
 88 of·attack,·and·should·be·disabled·if·not·needed.
 89 Furthermore,·the·FTP·protocol·is·unencrypted·and·creates
 90 a·risk·of·compromising·sensitive·information.</td>
 91 <td></td>
 92 </tr>
 93 <tr>
 94 <td>CM-7</td>
 95 <td>Uninstall·vsftpd·Package</td>
 96 <td·xml:lang="en-US">
 97 ············
 98 ········The·<code>vsftpd</code>·package·can·be·removed·with·the·following·command:
 99 ········<pre>$·sudo·yum·erase·vsftpd</pre>
 100 ··········</td>
 101 <td·xml:lang="en-US">Removing·the·vsftpd·package·decreases·the·risk·of·its
 102 accidental·activation.</td>
 103 <td></td>
 104 </tr>
 105 <tr>
 106 <td>CM-7</td>
49 <td>Disable·httpd·Service</td>107 <td>Disable·httpd·Service</td>
50 <td·xml:lang="en-US">108 <td·xml:lang="en-US">
51 ············109 ············
52 ········The·<code>httpd</code>·service·can·be·disabled·with·the·following·command:110 ········The·<code>httpd</code>·service·can·be·disabled·with·the·following·command:
53 ········<pre>$·sudo·chkconfig·httpd·off</pre>111 ········<pre>$·sudo·chkconfig·httpd·off</pre>
54 ··········</td>112 ··········</td>
55 <td·xml:lang="en-US">Running·web·server·software·provides·a·network-based·avenue113 <td·xml:lang="en-US">Running·web·server·software·provides·a·network-based·avenue
Offset 113, 74 lines modifiedOffset 171, 82 lines modified
113 This·is·its·default·setting.</td>171 This·is·its·default·setting.</td>
114 <td·xml:lang="en-US">Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker172 <td·xml:lang="en-US">Access·to·the·web·server's·log·files·may·allow·an·unauthorized·user·or·attacker
115 to·access·information·about·the·web·server·or·alter·the·server's·log·files.</td>173 to·access·information·about·the·web·server·or·alter·the·server's·log·files.</td>
116 <td></td>174 <td></td>
117 </tr>175 </tr>
118 <tr>176 <tr>
119 <td>CM-7</td>177 <td>CM-7</td>
120 <td>Disable·Postfix·Network·Listening</td>178 <td>Authenticate·Zone·Transfers</td>
121 <td·xml:lang="en-US">Edit·the·file·<code>/etc/postfix/main.cf</code>·to·ensure·that·only·the·following179 <td·xml:lang="en-US">If·it·is·necessary·for·a·secondary·nameserver·to·receive·zone·data
122 <code>inet_interfaces</code>·line·appears:180 via·zone·transfer·from·the·primary·server,·follow·the·instructions·here.··Use
123 <pre>inet_interfaces·=·localhost</pre>181 dnssec-keygen·to·create·a·symmetric·key·file·in·the·current·directory:
124 </td>182 <pre>$·cd·/tmp
125 <td·xml:lang="en-US">This·ensures·<code>postfix</code>·accepts·mail·messages183 $·sudo·dnssec-keygen·-a·HMAC-MD5·-b·128·-n·HOST·dns.example.com
126 (such·as·cron·job·reports)·from·the·local·system·only,184 Kdns.example.com·.+aaa·+iiiii</pre>
127 and·not·from·the·network,·which·protects·it·from·network·attack.</td>185 This·output·is·the·name·of·a·file·containing·the·new·key.·Read·the·file·to·find
128 <td></td>186 the·base64-encoded·key·string:
129 </tr>187 <pre>$·sudo·cat·Kdns.example.com·.+NNN·+MMMMM·.key
130 <tr>188 dns.example.com·IN·KEY·512·3·157·base64-key-string</pre>
131 <td>AC-22</td>189 Add·the·directives·to·<code>/etc/named.conf</code>·on·the·primary·server:
132 <td>Configure·SMTP·Greeting·Banner</td>190 <pre>key·zone-transfer-key·{
133 <td·xml:lang="en-US">Edit·<code>/etc/postfix/main.cf</code>,·and·add·or·correct·the191 ··algorithm·hmac-md5;
134 following·line,·substituting·some·other·wording·for·the·banner·information·if192 ··secret·"base64-key-string·";
135 you·prefer:193 };
136 <pre>smtpd_banner·=·$myhostname·ESMTP</pre>194 zone·"example.com·"·IN·{
 195 ··type·master;
 196 ··allow-transfer·{·key·zone-transfer-key;·};
 197 ··...
 198 };</pre>
 199 Add·the·directives·below·to·<code>/etc/named.conf</code>·on·the·secondary·nameserver:
 200 <pre>key·zone-transfer-key·{
 201 ··algorithm·hmac-md5;
 202 ··secret·"base64-key-string·";
 203 };
  
 204 server·IP-OF-MASTER·{
 205 ··keys·{·zone-transfer-key;·};
 206 };
  
 207 zone·"example.com·"·IN·{
 208 ··type·slave;
 209 ··masters·{·IP-OF-MASTER·;·};
 210 ··...
 211 };</pre>
137 </td>212 </td>
138 <td·xml:lang="en-US">The·default·greeting·banner·discloses·that·the·listening·mail213 <td·xml:lang="en-US">The·BIND·transaction·signature·(TSIG)·functionality·allows·primary
139 process·is·Postfix.··When·remote·mail·senders·connect·to·the·MTA·on·port·25,214 and·secondary·nameservers·to·use·a·shared·secret·to·verify·authorization·to
140 they·are·greeted·by·an·initial·banner·as·part·of·the·SMTP·dialogue.·This·banner215 perform·zone·transfers.·This·method·is·more·secure·than·using·IP-based·limiting
141 is·necessary,·but·it·frequently·gives·away·too·much·information,·including·the216 to·restrict·nameserver·access,·since·IP·addresses·can·be·easily·spoofed.
142 MTA·software·which·is·in·use,·and·sometimes·also·its·version·number.·Remote217 However,·if·you·cannot·configure·TSIG·between·your·servers·because,·for
143 mail·senders·do·not·need·this·information·in·order·to·send·mail,·so·the·banner218 instance,·the·secondary·nameserver·is·not·under·your·control·and·its
144 should·be·changed·to·reveal·only·the·hostname·(which·is·already·known·and·may219 administrators·are·unwilling·to·configure·TSIG,·you·can·configure·an
145 be·useful)·and·the·word·ESMTP,·to·indicate·that·the·modern·SMTP·protocol220 allow-transfer·directive·with·numerical·IP·addresses·or·ACLs·as·a·last·resort.</td>
146 variant·is·supported.</td> 
147 <td></td>221 <td></td>
Max diff block lines reached; 475985/483007 bytes (98.55%) of diff not shown.
50.5 KB
./usr/share/doc/ssg-nondebian/table-rhel6-pcidssrefs.html
Ordering differences only
    
Offset 107, 76 lines modifiedOffset 107, 14 lines modified
107 from·correctly·detecting·that·the·user·is·idle.</td>107 from·correctly·detecting·that·the·user·is·idle.</td>
108 <td·xml:lang="en-US">Causing·idle·users·to·be·automatically·logged·out108 <td·xml:lang="en-US">Causing·idle·users·to·be·automatically·logged·out
109 guards·against·compromises·one·system·leading·trivially109 guards·against·compromises·one·system·leading·trivially
110 to·compromises·on·another.</td>110 to·compromises·on·another.</td>
111 <td></td>111 <td></td>
112 </tr>112 </tr>
113 <tr>113 <tr>
114 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> 
115 <td>Implement·Blank·Screensaver</td> 
116 <td·xml:lang="en-US">Run·the·following·command·to·set·the·screensaver·mode 
117 in·the·GNOME·desktop·to·a·blank·screen: 
118 <pre>$·sudo·gconftool-2·--direct·\ 
119 ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ 
120 ··--type·string·\ 
121 ··--set·/apps/gnome-screensaver/mode·blank-only</pre> 
122 </td> 
123 <td·xml:lang="en-US">Setting·the·screensaver·mode·to·blank-only·conceals·the 
124 contents·of·the·display·from·passersby.</td> 
125 <td></td> 
126 </tr> 
127 <tr> 
128 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> 
129 <td>Enable·Screen·Lock·Activation·After·Idle·Period</td> 
130 <td·xml:lang="en-US">Run·the·following·command·to·activate·locking·of·the·screensaver 
131 in·the·GNOME·desktop·when·it·is·activated: 
132 <pre>$·sudo·gconftool-2·--direct·\ 
133 ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ 
134 ··--type·bool·\ 
135 ··--set·/apps/gnome-screensaver/lock_enabled·true</pre> 
136 </td> 
137 <td·xml:lang="en-US">Enabling·the·activation·of·the·screen·lock·after·an·idle·period 
138 ensures·password·entry·will·be·required·in·order·to 
139 access·the·system,·preventing·access·by·passersby.</td> 
140 <td></td> 
141 </tr> 
142 <tr> 
143 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> 
144 <td>GNOME·Desktop·Screensaver·Mandatory·Use</td> 
145 <td·xml:lang="en-US">Run·the·following·command·to·activate·the·screensaver 
146 in·the·GNOME·desktop·after·a·period·of·inactivity: 
147 <pre>$·sudo·gconftool-2·--direct·\ 
148 ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ 
149 ··--type·bool·\ 
150 ··--set·/apps/gnome-screensaver/idle_activation_enabled·true</pre> 
151 </td> 
152 <td·xml:lang="en-US">Enabling·idle·activation·of·the·screensaver·ensures·the·screensaver·will 
153 be·activated·after·the·idle·delay.··Applications·requiring·continuous, 
154 real-time·screen·display·(such·as·network·management·products)·require·the 
155 login·session·does·not·have·administrator·rights·and·the·display·station·is·located·in·a 
156 controlled-access·area.</td> 
157 <td></td> 
158 </tr> 
159 <tr> 
160 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td> 
161 <td>Set·GNOME·Login·Inactivity·Timeout</td> 
162 <td·xml:lang="en-US">Run·the·following·command·to·set·the·idle·time-out·value·for 
163 inactivity·in·the·GNOME·desktop·to·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="inactivity_timeout_value"></ns0:sub>·minutes: 
164 <pre>$·sudo·gconftool-2·\ 
165 ··--direct·\ 
166 ··--config-source·xml:readwrite:/etc/gconf/gconf.xml.mandatory·\ 
167 ··--type·int·\ 
168 ··--set·/desktop/gnome/session/idle_delay·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="inactivity_timeout_value"></ns0:sub></pre> 
169 </td> 
170 <td·xml:lang="en-US">Setting·the·idle·delay·controls·when·the 
171 screensaver·will·start,·and·can·be·combined·with 
172 screen·locking·to·prevent·access·from·passersby.</td> 
173 <td></td> 
174 </tr> 
175 <tr> 
176 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td>114 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.5.1</a></td>
177 <td>Ensure·System·Log·Files·Have·Correct·Permissions</td>115 <td>Ensure·System·Log·Files·Have·Correct·Permissions</td>
178 <td·xml:lang="en-US">The·file·permissions·for·all·log·files·written·by116 <td·xml:lang="en-US">The·file·permissions·for·all·log·files·written·by
179 <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive.117 <code>rsyslog</code>·should·be·set·to·600,·or·more·restrictive.
180 These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in118 These·log·files·are·determined·by·the·second·part·of·each·Rule·line·in
181 <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.·119 <code>/etc/rsyslog.conf</code>·and·typically·all·appear·in·<code>/var/log</code>.·
182 For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>,120 For·each·log·file·<i>LOGFILE</i>·referenced·in·<code>/etc/rsyslog.conf</code>,
Offset 503, 14 lines modifiedOffset 441, 130 lines modified
503 their·account.·Providing·users·with·information·regarding·the·number441 their·account.·Providing·users·with·information·regarding·the·number
504 of·unsuccessful·attempts·that·were·made·to·login·to·their·account442 of·unsuccessful·attempts·that·were·made·to·login·to·their·account
505 allows·the·user·to·determine·if·any·unauthorized·activity·has·occurred443 allows·the·user·to·determine·if·any·unauthorized·activity·has·occurred
506 and·gives·them·an·opportunity·to·notify·administrators.</td>444 and·gives·them·an·opportunity·to·notify·administrators.</td>
507 <td></td>445 <td></td>
508 </tr>446 </tr>
509 <tr>447 <tr>
 448 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.7.c</a></td>
 449 <td>Verify·Permissions·on·shadow·File</td>
 450 <td·xml:lang="en-US">
 451 ··············
 452 ····To·properly·set·the·permissions·of·<code>/etc/shadow</code>,·run·the·command:
 453 ····<pre·xml:space="preserve">$·sudo·chmod·0000·/etc/shadow</pre>
 454 ············</td>
 455 <td·xml:lang="en-US">The·<code>/etc/shadow</code>·file·contains·the·list·of·local
 456 system·accounts·and·stores·password·hashes.·Protection·of·this·file·is
 457 critical·for·system·security.·Failure·to·give·ownership·of·this·file
 458 to·root·provides·the·designated·owner·with·access·to·sensitive·information
 459 which·could·weaken·the·system·security·posture.</td>
 460 <td></td>
 461 </tr>
 462 <tr>
 463 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.7.c</a></td>
 464 <td>Verify·Group·Who·Owns·shadow·File</td>
 465 <td·xml:lang="en-US">
 466 ··············
 467 ····To·properly·set·the·group·owner·of·<code>/etc/shadow</code>,·run·the·command:
 468 ····<pre·xml:space="preserve">$·sudo·chgrp·root·/etc/shadow·</pre>
 469 ············</td>
 470 <td·xml:lang="en-US">The·<code>/etc/shadow</code>·file·stores·password·hashes.·Protection·of·this·file·is
 471 critical·for·system·security.</td>
 472 <td></td>
 473 </tr>
 474 <tr>
 475 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.7.c</a></td>
 476 <td>Verify·Permissions·on·group·File</td>
 477 <td·xml:lang="en-US">
 478 ··············
 479 ····To·properly·set·the·permissions·of·<code>/etc/group</code>,·run·the·command:
 480 ····<pre·xml:space="preserve">$·sudo·chmod·644·/etc/group</pre>
 481 ············</td>
 482 <td·xml:lang="en-US">The·<code>/etc/group</code>·file·contains·information·regarding·groups·that·are·configured
 483 on·the·system.·Protection·of·this·file·is·important·for·system·security.</td>
 484 <td></td>
 485 </tr>
 486 <tr>
 487 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.7.c</a></td>
 488 <td>Verify·User·Who·Owns·passwd·File</td>
 489 <td·xml:lang="en-US">
 490 ··············
Max diff block lines reached; 41781/51532 bytes (81.08%) of diff not shown.
381 KB
./usr/share/doc/ssg-nondebian/table-rhel6-srgmap-flat.html
Ordering differences only
    
Offset 66, 124 lines modifiedOffset 66, 14 lines modified
66 <td></td>66 <td></td>
67 </tr>67 </tr>
68 <tr>68 <tr>
69 <td>SRG-OS-000480-GPOS-00232</td>69 <td>SRG-OS-000480-GPOS-00232</td>
70 <td>CCI-000366</td>70 <td>CCI-000366</td>
71 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>71 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>
72 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>72 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>
73 <td>postfix_client_configure_mail_alias</td> 
74 <td>Configure·System·to·Forward·All·Mail·For·The·Root·Account</td> 
75 <td·xml:lang="en-US">Set·up·an·alias·for·root·that·forwards·to·a·monitored·email·address: 
76 <pre>$·sudo·echo·"root:·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_postfix_root_mail_alias"></ns0:sub>"·&gt;&gt;·/etc/aliases 
77 $·sudo·newaliases</pre> 
78 </td> 
79 <td></td> 
80 </tr> 
81 <tr> 
82 <td>SRG-OS-000480-GPOS-00232</td> 
83 <td>CCI-000366</td> 
84 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> 
85 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> 
86 <td>sysconfig_networking_bootproto_ifcfg</td> 
87 <td>Disable·DHCP·Client</td> 
88 <td·xml:lang="en-US">For·each·interface·on·the·system·(e.g.·eth0),·edit 
89 <code>/etc/sysconfig/network-scripts/ifcfg-<i>interface</i></code>·and·make·the 
90 following·changes: 
91 <ul> 
92 <li>·Correct·the·BOOTPROTO·line·to·read: 
93 <pre>BOOTPROTO=none</pre> 
94 </li> 
95 <li>·Add·or·correct·the·following·lines,·substituting·the·appropriate 
96 values·based·on·your·site's·addressing·scheme: 
97 <pre>NETMASK=255.255.255.0 
98 IPADDR=192.168.1.2 
99 GATEWAY=192.168.1.1</pre> 
100 </li> 
101 </ul> 
102 </td> 
103 <td></td> 
104 </tr> 
105 <tr> 
106 <td>SRG-OS-000480-GPOS-00232</td> 
107 <td>CCI-000366</td> 
108 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> 
109 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> 
110 <td>package_dhcp_removed</td> 
111 <td>Uninstall·DHCP·Server·Package</td> 
112 <td·xml:lang="en-US">If·the·system·does·not·need·to·act·as·a·DHCP·server, 
113 the·dhcp·package·can·be·uninstalled. 
  
114 ········The·<code>dhcp</code>·package·can·be·removed·with·the·following·command: 
115 ········<pre>$·sudo·yum·erase·dhcp</pre> 
116 </td> 
117 <td></td> 
118 </tr> 
119 <tr> 
120 <td>SRG-OS-000480-GPOS-00232</td> 
121 <td>CCI-000366</td> 
122 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> 
123 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> 
124 <td>service_dhcpd_disabled</td> 
125 <td>Disable·DHCP·Service</td> 
126 <td·xml:lang="en-US">The·<code>dhcpd</code>·service·should·be·disabled·on 
127 any·system·that·does·not·need·to·act·as·a·DHCP·server. 
  
128 ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command: 
129 ········<pre>$·sudo·chkconfig·dhcpd·off</pre> 
130 </td> 
131 <td></td> 
132 </tr> 
133 <tr> 
134 <td>SRG-OS-000480-GPOS-00232</td> 
135 <td>CCI-000366</td> 
136 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> 
137 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> 
138 <td>tftpd_uses_secure_mode</td> 
139 <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> 
140 <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured 
141 to·change·its·root·directory·at·startup.·To·do·so,·ensure 
142 <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in 
143 the·following·example·(which·is·also·the·default): 
144 <pre>server_args·=·-s·/var/lib/tftpboot</pre> 
145 </td> 
146 <td></td> 
147 </tr> 
148 <tr> 
149 <td>SRG-OS-000480-GPOS-00232</td> 
150 <td>CCI-000366</td> 
151 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> 
152 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> 
153 <td>package_xorg-x11-server-common_removed</td> 
154 <td>Remove·the·X·Windows·Package·Group</td> 
155 <td·xml:lang="en-US">Removing·all·packages·which·constitute·the·X·Window·System 
156 ensures·users·or·malicious·software·cannot·start·X. 
157 To·do·so,·run·the·following·command: 
158 <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> 
159 </td> 
160 <td></td> 
161 </tr> 
162 <tr> 
163 <td>SRG-OS-000480-GPOS-00232</td> 
164 <td>CCI-000366</td> 
165 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> 
166 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> 
167 <td>xwindows_runlevel_setting</td> 
168 <td>Disable·X·Windows·Startup·By·Setting·Runlevel</td> 
169 <td·xml:lang="en-US">Setting·the·system's·runlevel·to·3·will·prevent·automatic·startup 
170 of·the·X·server.·To·do·so,·ensure·the·following·line·in·<code>/etc/inittab</code> 
171 features·a·<code>3</code>·as·shown: 
172 <pre>id:3:initdefault:</pre> 
173 </td> 
174 <td></td> 
175 </tr> 
176 <tr> 
177 <td>SRG-OS-000480-GPOS-00232</td> 
178 <td>CCI-000366</td> 
179 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> 
180 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> 
181 <td>service_named_disabled</td>73 <td>service_named_disabled</td>
182 <td>Disable·DNS·Server</td>74 <td>Disable·DNS·Server</td>
183 <td·xml:lang="en-US">75 <td·xml:lang="en-US">
184 ············76 ············
185 ········The·<code>named</code>·service·can·be·disabled·with·the·following·command:77 ········The·<code>named</code>·service·can·be·disabled·with·the·following·command:
186 ········<pre>$·sudo·chkconfig·named·off</pre>78 ········<pre>$·sudo·chkconfig·named·off</pre>
187 ··········</td>79 ··········</td>
Offset 219, 131 lines modifiedOffset 109, 138 lines modified
219 <td></td>109 <td></td>
220 </tr>110 </tr>
Max diff block lines reached; 384067/390015 bytes (98.47%) of diff not shown.
201 KB
./usr/share/doc/ssg-nondebian/table-rhel6-srgmap.html
Ordering differences only
    
Offset 65, 14 lines modifiedOffset 65, 64 lines modified
65 <tr>65 <tr>
66 <td>SRG-OS-000480-GPOS-00232</td>66 <td>SRG-OS-000480-GPOS-00232</td>
67 <td>CCI-000366</td>67 <td>CCI-000366</td>
68 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>68 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>
69 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>69 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>
70 <td>70 <td>
71 <table><tr>71 <table><tr>
 72 <td>Disable·DNS·Server</td>
 73 <td·xml:lang="en-US">
 74 ············
 75 ········The·<code>named</code>·service·can·be·disabled·with·the·following·command:
 76 ········<pre>$·sudo·chkconfig·named·off</pre>
 77 ··········</td>
 78 </tr></table>
 79 <table><tr>
 80 <td>Uninstall·bind·Package</td>
 81 <td·xml:lang="en-US">To·remove·the·<code>bind</code>·package,·which·contains·the
 82 <code>named</code>·service,·run·the·following·command:
 83 <pre>$·sudo·yum·erase·bind</pre>
 84 </td>
 85 </tr></table>
 86 <table><tr>
 87 <td>Uninstall·openldap-servers·Package</td>
 88 <td·xml:lang="en-US">The·<code>openldap-servers</code>·package·should·be·removed·if·not·in·use.
 89 Is·this·system·the·OpenLDAP·server?·If·not,·remove·the·package.
 90 <pre>$·sudo·yum·erase·openldap-servers</pre>
 91 The·openldap-servers·RPM·is·not·installed·by·default·on·Red·Hat·Enterprise·Linux·6
 92 systems.·It·is·needed·only·by·the·OpenLDAP·server,·not·by·the
 93 clients·which·use·LDAP·for·authentication.·If·the·system·is·not
 94 intended·for·use·as·an·LDAP·Server·it·should·be·removed.</td>
 95 </tr></table>
 96 <table><tr>
 97 <td>Disable·X·Windows·Startup·By·Setting·Runlevel</td>
 98 <td·xml:lang="en-US">Setting·the·system's·runlevel·to·3·will·prevent·automatic·startup
 99 of·the·X·server.·To·do·so,·ensure·the·following·line·in·<code>/etc/inittab</code>
 100 features·a·<code>3</code>·as·shown:
 101 <pre>id:3:initdefault:</pre>
 102 </td>
 103 </tr></table>
 104 <table><tr>
 105 <td>Remove·the·X·Windows·Package·Group</td>
 106 <td·xml:lang="en-US">Removing·all·packages·which·constitute·the·X·Window·System
 107 ensures·users·or·malicious·software·cannot·start·X.
 108 To·do·so,·run·the·following·command:
 109 <pre>$·sudo·yum·groupremove·"X·Window·System"</pre>
 110 </td>
 111 </tr></table>
 112 <table><tr>
 113 <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td>
 114 <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured
 115 to·change·its·root·directory·at·startup.·To·do·so,·ensure
 116 <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in
 117 the·following·example·(which·is·also·the·default):
 118 <pre>server_args·=·-s·/var/lib/tftpboot</pre>
 119 </td>
 120 </tr></table>
 121 <table><tr>
72 <td>Configure·System·to·Forward·All·Mail·For·The·Root·Account</td>122 <td>Configure·System·to·Forward·All·Mail·For·The·Root·Account</td>
73 <td·xml:lang="en-US">Set·up·an·alias·for·root·that·forwards·to·a·monitored·email·address:123 <td·xml:lang="en-US">Set·up·an·alias·for·root·that·forwards·to·a·monitored·email·address:
74 <pre>$·sudo·echo·"root:·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_postfix_root_mail_alias"></ns0:sub>"·&gt;&gt;·/etc/aliases124 <pre>$·sudo·echo·"root:·<ns0:sub·xmlns:ns0="http://checklists.nist.gov/xccdf/1.1"·idref="var_postfix_root_mail_alias"></ns0:sub>"·&gt;&gt;·/etc/aliases
75 $·sudo·newaliases</pre>125 $·sudo·newaliases</pre>
76 </td>126 </td>
77 </tr></table>127 </tr></table>
78 <table><tr>128 <table><tr>
Offset 108, 139 lines modifiedOffset 158, 22 lines modified
108 any·system·that·does·not·need·to·act·as·a·DHCP·server.158 any·system·that·does·not·need·to·act·as·a·DHCP·server.
  
109 ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command:159 ········The·<code>dhcpd</code>·service·can·be·disabled·with·the·following·command:
110 ········<pre>$·sudo·chkconfig·dhcpd·off</pre>160 ········<pre>$·sudo·chkconfig·dhcpd·off</pre>
111 </td>161 </td>
112 </tr></table>162 </tr></table>
113 <table><tr>163 <table><tr>
114 <td>Ensure·tftp·Daemon·Uses·Secure·Mode</td> 
115 <td·xml:lang="en-US">If·running·the·<code>tftp</code>·service·is·necessary,·it·should·be·configured 
116 to·change·its·root·directory·at·startup.·To·do·so,·ensure 
117 <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in 
118 the·following·example·(which·is·also·the·default): 
119 <pre>server_args·=·-s·/var/lib/tftpboot</pre> 
120 </td> 
121 </tr></table> 
122 <table><tr> 
123 <td>Remove·the·X·Windows·Package·Group</td> 
124 <td·xml:lang="en-US">Removing·all·packages·which·constitute·the·X·Window·System 
125 ensures·users·or·malicious·software·cannot·start·X. 
126 To·do·so,·run·the·following·command: 
127 <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> 
128 </td> 
129 </tr></table> 
130 <table><tr> 
131 <td>Disable·X·Windows·Startup·By·Setting·Runlevel</td> 
132 <td·xml:lang="en-US">Setting·the·system's·runlevel·to·3·will·prevent·automatic·startup 
133 of·the·X·server.·To·do·so,·ensure·the·following·line·in·<code>/etc/inittab</code> 
134 features·a·<code>3</code>·as·shown: 
135 <pre>id:3:initdefault:</pre> 
136 </td> 
137 </tr></table> 
138 <table><tr> 
139 <td>Disable·DNS·Server</td> 
140 <td·xml:lang="en-US"> 
141 ············ 
142 ········The·<code>named</code>·service·can·be·disabled·with·the·following·command: 
143 ········<pre>$·sudo·chkconfig·named·off</pre> 
144 ··········</td> 
145 </tr></table> 
146 <table><tr> 
147 <td>Uninstall·bind·Package</td> 
148 <td·xml:lang="en-US">To·remove·the·<code>bind</code>·package,·which·contains·the 
149 <code>named</code>·service,·run·the·following·command: 
150 <pre>$·sudo·yum·erase·bind</pre> 
151 </td> 
152 </tr></table> 
153 <table><tr> 
154 <td>Uninstall·openldap-servers·Package</td> 
155 <td·xml:lang="en-US">The·<code>openldap-servers</code>·package·should·be·removed·if·not·in·use. 
156 Is·this·system·the·OpenLDAP·server?·If·not,·remove·the·package. 
157 <pre>$·sudo·yum·erase·openldap-servers</pre> 
158 The·openldap-servers·RPM·is·not·installed·by·default·on·Red·Hat·Enterprise·Linux·6 
159 systems.·It·is·needed·only·by·the·OpenLDAP·server,·not·by·the 
160 clients·which·use·LDAP·for·authentication.·If·the·system·is·not 
161 intended·for·use·as·an·LDAP·Server·it·should·be·removed.</td> 
162 </tr></table> 
163 <table><tr> 
164 <td>Disable·Avahi·Server·Software</td>164 <td>Disable·Avahi·Server·Software</td>
165 <td·xml:lang="en-US">165 <td·xml:lang="en-US">
166 ············166 ············
167 ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command:167 ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command:
168 ········<pre>$·sudo·chkconfig·avahi-daemon·off</pre>168 ········<pre>$·sudo·chkconfig·avahi-daemon·off</pre>
Max diff block lines reached; 200508/205974 bytes (97.35%) of diff not shown.
304 KB
./usr/share/doc/ssg-nondebian/table-rhel7-cces.html
Ordering differences only
    
Offset 37, 32 lines modifiedOffset 37, 14 lines modified
37 <table>37 <table>
38 <thead>38 <thead>
39 <td>CCE·ID</td>39 <td>CCE·ID</td>
40 <td>Rule·Title</td>40 <td>Rule·Title</td>
41 <td>Description</td>41 <td>Description</td>
42 </thead>42 </thead>
43 <tr>43 <tr>
44 <td>CCE-80441-9</td> 
45 <td>Use·direct-lvm·with·the·Device·Mapper·Storage·Driver</td> 
46 <td·xml:lang="en-US">To·use·Docker·in·production·with·the·device·mapper·storage·driver,·the·Docker 
47 daemon·should·be·configured·to·use·direct-lvm·instead·of·loopback·device·as 
48 a·storage.·For·setting·up·the·LVM·and·configuring·Docker,·see·the 
49 <a·href="https://docs.docker.com/engine/userguide/storagedriver/device-mapper-driver/">Docker·Device·Mapper·Storage·Documentation</a>.</td> 
50 </tr> 
51 <tr> 
52 <td>CCE-80440-1</td> 
53 <td>Enable·the·Docker·service</td> 
54 <td·xml:lang="en-US">The·docker·service·is·commonly·needed·to 
55 ··create·containers. 
  
56 ········The·<code>docker</code>·service·can·be·enabled·with·the·following·command: 
57 ········<pre>$·sudo·systemctl·enable·docker.service</pre> 
58 </td> 
59 </tr> 
60 <tr> 
61 <td>CCE-27274-0</td>44 <td>CCE-27274-0</td>
62 <td>Uninstall·rsh·Package</td>45 <td>Uninstall·rsh·Package</td>
63 <td·xml:lang="en-US">The·<code>rsh</code>·package·contains·the·client·commands46 <td·xml:lang="en-US">The·<code>rsh</code>·package·contains·the·client·commands
64 for·the·rsh·services</td>47 for·the·rsh·services</td>
65 </tr>48 </tr>
66 <tr>49 <tr>
67 <td>CCE-27336-7</td>50 <td>CCE-27336-7</td>
Offset 181, 32 lines modifiedOffset 163, 32 lines modified
181 <td>Uninstall·telnet-server·Package</td>163 <td>Uninstall·telnet-server·Package</td>
182 <td·xml:lang="en-US">The·<code>telnet-server</code>·package·can·be·uninstalled·with164 <td·xml:lang="en-US">The·<code>telnet-server</code>·package·can·be·uninstalled·with
183 the·following·command:165 the·following·command:
184 <pre>$·sudo·yum·erase·telnet-server</pre>166 <pre>$·sudo·yum·erase·telnet-server</pre>
185 </td>167 </td>
186 </tr>168 </tr>
187 <tr>169 <tr>
 170 <td>CCE-27396-1</td>
 171 <td>Remove·NIS·Client</td>
 172 <td·xml:lang="en-US">The·Network·Information·Service·(NIS),·formerly·known·as·Yellow·Pages,
 173 is·a·client-server·directory·service·protocol·used·to·distribute·system·configuration
 174 files.·The·NIS·client·(<code>ypbind</code>)·was·used·to·bind·a·system·to·an·NIS·server
 175 and·receive·the·distributed·configuration·files.</td>
 176 </tr>
 177 <tr>
188 <td>CCE-27385-4</td>178 <td>CCE-27385-4</td>
189 <td>Disable·ypbind·Service</td>179 <td>Disable·ypbind·Service</td>
190 <td·xml:lang="en-US">The·<code>ypbind</code>·service,·which·allows·the·system·to·act·as·a·client·in180 <td·xml:lang="en-US">The·<code>ypbind</code>·service,·which·allows·the·system·to·act·as·a·client·in
191 a·NIS·or·NIS+·domain,·should·be·disabled.181 a·NIS·or·NIS+·domain,·should·be·disabled.
  
192 ········The·<code>ypbind</code>·service·can·be·disabled·with·the·following·command:182 ········The·<code>ypbind</code>·service·can·be·disabled·with·the·following·command:
193 ········<pre>$·sudo·systemctl·disable·ypbind.service</pre>183 ········<pre>$·sudo·systemctl·disable·ypbind.service</pre>
194 </td>184 </td>
195 </tr>185 </tr>
196 <tr>186 <tr>
197 <td>CCE-27396-1</td> 
198 <td>Remove·NIS·Client</td> 
199 <td·xml:lang="en-US">The·Network·Information·Service·(NIS),·formerly·known·as·Yellow·Pages, 
200 is·a·client-server·directory·service·protocol·used·to·distribute·system·configuration 
201 files.·The·NIS·client·(<code>ypbind</code>)·was·used·to·bind·a·system·to·an·NIS·server 
202 and·receive·the·distributed·configuration·files.</td> 
203 </tr> 
204 <tr> 
205 <td>CCE-27399-5</td>187 <td>CCE-27399-5</td>
206 <td>Uninstall·ypserv·Package</td>188 <td>Uninstall·ypserv·Package</td>
207 <td·xml:lang="en-US">The·<code>ypserv</code>·package·can·be·uninstalled·with189 <td·xml:lang="en-US">The·<code>ypserv</code>·package·can·be·uninstalled·with
208 the·following·command:190 the·following·command:
209 <pre>$·sudo·yum·erase·ypserv</pre>191 <pre>$·sudo·yum·erase·ypserv</pre>
210 </td>192 </td>
211 </tr>193 </tr>
Offset 243, 33 lines modifiedOffset 225, 33 lines modified
243 to·change·its·root·directory·at·startup.·To·do·so,·ensure225 to·change·its·root·directory·at·startup.·To·do·so,·ensure
244 <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in226 <code>/etc/xinetd.d/tftp</code>·includes·<code>-s</code>·as·a·command·line·argument,·as·shown·in
245 the·following·example·(which·is·also·the·default):227 the·following·example·(which·is·also·the·default):
246 <pre>server_args·=·-s·/var/lib/tftpboot</pre>228 <pre>server_args·=·-s·/var/lib/tftpboot</pre>
247 </td>229 </td>
248 </tr>230 </tr>
249 <tr>231 <tr>
250 <td>CCE-27443-1</td> 
251 <td>Disable·xinetd·Service</td> 
252 <td·xml:lang="en-US"> 
253 ············ 
254 ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: 
255 ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> 
256 ··········</td> 
257 </tr> 
258 <tr> 
259 <td>CCE-27361-5</td>232 <td>CCE-27361-5</td>
260 <td>Install·tcp_wrappers·Package</td>233 <td>Install·tcp_wrappers·Package</td>
261 <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the234 <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the
262 <code>tcp_wrappers</code>·package·should·be·installed.235 <code>tcp_wrappers</code>·package·should·be·installed.
  
263 ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command:236 ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command:
264 ········<pre>$·sudo·yum·install·tcp_wrappers</pre>237 ········<pre>$·sudo·yum·install·tcp_wrappers</pre>
265 </td>238 </td>
266 </tr>239 </tr>
267 <tr>240 <tr>
 241 <td>CCE-27443-1</td>
 242 <td>Disable·xinetd·Service</td>
 243 <td·xml:lang="en-US">
 244 ············
 245 ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command:
 246 ········<pre>$·sudo·systemctl·disable·xinetd.service</pre>
 247 ··········</td>
 248 </tr>
 249 <tr>
268 <td>CCE-27354-0</td>250 <td>CCE-27354-0</td>
269 <td>Uninstall·xinetd·Package</td>251 <td>Uninstall·xinetd·Package</td>
270 <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command:252 <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command:
271 <pre>$·sudo·yum·erase·xinetd</pre>253 <pre>$·sudo·yum·erase·xinetd</pre>
272 </td>254 </td>
273 </tr>255 </tr>
274 <tr>256 <tr>
Offset 290, 40 lines modifiedOffset 272, 83 lines modified
290 <td·xml:lang="en-US">272 <td·xml:lang="en-US">
291 ············273 ············
292 ········The·<code>talk-server</code>·package·can·be·removed·with·the·following·command:274 ········The·<code>talk-server</code>·package·can·be·removed·with·the·following·command:
293 ········<pre>$·sudo·yum·erase·talk-server</pre>275 ········<pre>$·sudo·yum·erase·talk-server</pre>
294 ··········</td>276 ··········</td>
295 </tr>277 </tr>
296 <tr>278 <tr>
 279 <td>CCE-80298-3</td>
 280 <td>Configure·Dovecot·to·Use·the·SSL·Key·file</td>
 281 <td·xml:lang="en-US">This·option·tells·Dovecot·where·to·find·the·the·mail·
Max diff block lines reached; 304807/311388 bytes (97.89%) of diff not shown.
77.2 KB
./usr/share/doc/ssg-nondebian/table-rhel7-cisrefs.html
Ordering differences only
    
Offset 227, 42 lines modifiedOffset 227, 42 lines modified
227 ········<pre>$·sudo·systemctl·disable·tftp.service</pre>227 ········<pre>$·sudo·systemctl·disable·tftp.service</pre>
228 </td>228 </td>
229 <td·xml:lang="en-US">Disabling·the·<code>tftp</code>·service·ensures·the·system·is·not·acting229 <td·xml:lang="en-US">Disabling·the·<code>tftp</code>·service·ensures·the·system·is·not·acting
230 as·a·TFTP·server,·which·does·not·provide·encryption·or·authentication.</td>230 as·a·TFTP·server,·which·does·not·provide·encryption·or·authentication.</td>
231 <td></td>231 <td></td>
232 </tr>232 </tr>
233 <tr>233 <tr>
234 <td>2.1.7</td> 
235 <td>Disable·xinetd·Service</td> 
236 <td·xml:lang="en-US"> 
237 ············ 
238 ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command: 
239 ········<pre>$·sudo·systemctl·disable·xinetd.service</pre> 
240 ··········</td> 
241 <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs, 
242 which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling 
243 it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents 
244 attacks·against·xinetd·itself.</td> 
245 <td></td> 
246 </tr> 
247 <tr> 
248 <td>3.4.1</td>234 <td>3.4.1</td>
249 <td>Install·tcp_wrappers·Package</td>235 <td>Install·tcp_wrappers·Package</td>
250 <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the236 <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the
251 <code>tcp_wrappers</code>·package·should·be·installed.237 <code>tcp_wrappers</code>·package·should·be·installed.
  
252 ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command:238 ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command:
253 ········<pre>$·sudo·yum·install·tcp_wrappers</pre>239 ········<pre>$·sudo·yum·install·tcp_wrappers</pre>
254 </td>240 </td>
255 <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture241 <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture
256 by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This242 by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This
257 prevents·connections·from·unknown·hosts·and·protocols.</td>243 prevents·connections·from·unknown·hosts·and·protocols.</td>
258 <td></td>244 <td></td>
259 </tr>245 </tr>
260 <tr>246 <tr>
 247 <td>2.1.7</td>
 248 <td>Disable·xinetd·Service</td>
 249 <td·xml:lang="en-US">
 250 ············
 251 ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command:
 252 ········<pre>$·sudo·systemctl·disable·xinetd.service</pre>
 253 ··········</td>
 254 <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs,
 255 which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling
 256 it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents
 257 attacks·against·xinetd·itself.</td>
 258 <td></td>
 259 </tr>
 260 <tr>
261 <td>2.3.3</td>261 <td>2.3.3</td>
262 <td>Uninstall·talk·Package</td>262 <td>Uninstall·talk·Package</td>
263 <td·xml:lang="en-US">The·<code>talk</code>·package·contains·the·client·program·for·the263 <td·xml:lang="en-US">The·<code>talk</code>·package·contains·the·client·program·for·the
264 Internet·talk·protocol,·which·allows·the·user·to·chat·with·other·users·on264 Internet·talk·protocol,·which·allows·the·user·to·chat·with·other·users·on
265 different·systems.·Talk·is·a·communication·program·which·copies·lines·from·one265 different·systems.·Talk·is·a·communication·program·which·copies·lines·from·one
266 terminal·to·the·terminal·of·another·user.266 terminal·to·the·terminal·of·another·user.
  
Offset 284, 14 lines modifiedOffset 284, 26 lines modified
284 ··········</td>284 ··········</td>
285 <td·xml:lang="en-US">The·talk·software·presents·a·security·risk·as·it·uses·unencrypted·protocols285 <td·xml:lang="en-US">The·talk·software·presents·a·security·risk·as·it·uses·unencrypted·protocols
286 for·communications.·Removing·the·<code>talk-server</code>·package·decreases·the286 for·communications.·Removing·the·<code>talk-server</code>·package·decreases·the
287 risk·of·the·accidental·(or·intentional)·activation·of·talk·services.</td>287 risk·of·the·accidental·(or·intentional)·activation·of·talk·services.</td>
288 <td></td>288 <td></td>
289 </tr>289 </tr>
290 <tr>290 <tr>
 291 <td>2.2.11</td>
 292 <td>Disable·Dovecot·Service</td>
 293 <td·xml:lang="en-US">
 294 ············
 295 ········The·<code>dovecot</code>·service·can·be·disabled·with·the·following·command:
 296 ········<pre>$·sudo·systemctl·disable·dovecot.service</pre>
 297 ··········</td>
 298 <td·xml:lang="en-US">Running·an·IMAP·or·POP3·server·provides·a·network-based
 299 avenue·of·attack,·and·should·be·disabled·if·not·needed.</td>
 300 <td></td>
 301 </tr>
 302 <tr>
291 <td>2.2.9</td>303 <td>2.2.9</td>
292 <td>Disable·vsftpd·Service</td>304 <td>Disable·vsftpd·Service</td>
293 <td·xml:lang="en-US">305 <td·xml:lang="en-US">
294 ············306 ············
295 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:307 ········The·<code>vsftpd</code>·service·can·be·disabled·with·the·following·command:
296 ········<pre>$·sudo·systemctl·disable·vsftpd.service</pre>308 ········<pre>$·sudo·systemctl·disable·vsftpd.service</pre>
297 ··········</td>309 ··········</td>
Offset 487, 26 lines modifiedOffset 499, 14 lines modified
487 </td>499 </td>
488 <td·xml:lang="en-US">Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information500 <td·xml:lang="en-US">Unmanaged·or·unintentionally·activated·DHCP·servers·may·provide·faulty·information
489 to·clients,·interfering·with·the·operation·of·a·legitimate·site501 to·clients,·interfering·with·the·operation·of·a·legitimate·site
490 DHCP·server·if·there·is·one.</td>502 DHCP·server·if·there·is·one.</td>
491 <td></td>503 <td></td>
492 </tr>504 </tr>
493 <tr>505 <tr>
494 <td>2.2.11</td> 
495 <td>Disable·Dovecot·Service</td> 
496 <td·xml:lang="en-US"> 
497 ············ 
498 ········The·<code>dovecot</code>·service·can·be·disabled·with·the·following·command: 
499 ········<pre>$·sudo·systemctl·disable·dovecot.service</pre> 
500 ··········</td> 
501 <td·xml:lang="en-US">Running·an·IMAP·or·POP3·server·provides·a·network-based 
502 avenue·of·attack,·and·should·be·disabled·if·not·needed.</td> 
503 <td></td> 
504 </tr> 
505 <tr> 
506 <td>2.2.7</td>506 <td>2.2.7</td>
507 <td>Disable·rpcbind·Service</td>507 <td>Disable·rpcbind·Service</td>
508 <td·xml:lang="en-US">The·rpcbind·utility·maps·RPC·services·to·the·ports·on·which·they·listen.·RPC508 <td·xml:lang="en-US">The·rpcbind·utility·maps·RPC·services·to·the·ports·on·which·they·listen.·RPC
509 processes·notify·rpcbind·when·they·start,·registering·the·ports·they·are509 processes·notify·rpcbind·when·they·start,·registering·the·ports·they·are
510 listening·on·and·the·RPC·program·numbers·they·expect·to·serve.·The·rpcbind510 listening·on·and·the·RPC·program·numbers·they·expect·to·serve.·The·rpcbind
511 service·redirects·the·client·to·the·proper·port·number·so·it·can·communicate·511 service·redirects·the·client·to·the·proper·port·number·so·it·can·communicate·
512 with·the·requested·service.·If·the·system·does·not·require·RPC·(such·as·for·NFS512 with·the·requested·service.·If·the·system·does·not·require·RPC·(such·as·for·NFS
Offset 579, 14 lines modifiedOffset 579, 36 lines modified
579 <pre>ClientAliveCountMax·0</pre>579 <pre>ClientAliveCountMax·0</pre>
580 </td>580 </td>
581 <td·xml:lang="en-US">This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>581 <td·xml:lang="en-US">This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
582 is·reached.</td>582 is·reached.</td>
583 <td></td>583 <td></td>
584 </tr>584 </tr>
585 <tr>585 <tr>
 586 <td>5.2.12</td>
 587 <td>Set·SSH·Idle·Timeout·Interval</td>
 588 <td·xml:lang="en-US">SSH·allows·administrators·to·set·an·idle·timeout
 589 interval.
 590 After·this·interval·has·passed,·the·idle·user·will·be
 591 automatically·logged·out.
 592 <br><br>
 593 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
 594 follows:
Max diff block lines reached; 73217/78932 bytes (92.76%) of diff not shown.
120 KB
./usr/share/doc/ssg-nondebian/table-rhel7-cuirefs.html
Ordering differences only
    
Offset 313, 14 lines modifiedOffset 313, 27 lines modified
313 information·on·this·is·available·at313 information·on·this·is·available·at
314 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a>314 <a·href="http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate">http://support.ntp.org/bin/view/Dev/DeprecatingNtpdate</a>
315 </td>315 </td>
316 <td></td>316 <td></td>
317 </tr>317 </tr>
318 <tr>318 <tr>
319 <td>3.1.12</td>319 <td>3.1.12</td>
 320 <td>Enable·Use·of·Strict·Mode·Checking</td>
 321 <td·xml:lang="en-US">SSHs·StrictModes·option·checks·file·and·ownership·permissions·in
 322 the·user's·home·directory·<code>.ssh</code>·folder·before·accepting·login.·If·world-
 323 writable·permissions·are·found,·logon·is·rejected.·To·enable·StrictModes·in·SSH,
 324 add·or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file:
 325 <pre>StrictModes·yes</pre>
 326 </td>
 327 <td·xml:lang="en-US">If·other·users·have·access·to·modify·user-specific·SSH·configuration·files,·they
 328 may·be·able·to·log·into·the·system·as·another·user.</td>
 329 <td></td>
 330 </tr>
 331 <tr>
 332 <td>3.1.12</td>
320 <td>Disable·SSH·Support·for·User·Known·Hosts</td>333 <td>Disable·SSH·Support·for·User·Known·Hosts</td>
321 <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect334 <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect
322 to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available.335 to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available.
323 This·should·be·disabled.336 This·should·be·disabled.
324 <br><br>337 <br><br>
325 To·ensure·this·behavior·is·disabled,·add·or·correct·the338 To·ensure·this·behavior·is·disabled,·add·or·correct·the
326 following·line·in·<code>/etc/ssh/sshd_config</code>:339 following·line·in·<code>/etc/ssh/sshd_config</code>:
Offset 369, 26 lines modifiedOffset 382, 33 lines modified
369 <pre>ClientAliveCountMax·0</pre>382 <pre>ClientAliveCountMax·0</pre>
370 </td>383 </td>
371 <td·xml:lang="en-US">This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>384 <td·xml:lang="en-US">This·ensures·a·user·login·will·be·terminated·as·soon·as·the·<code>ClientAliveCountMax</code>
372 is·reached.</td>385 is·reached.</td>
373 <td></td>386 <td></td>
374 </tr>387 </tr>
375 <tr>388 <tr>
376 <td>3.1.12</td>389 <td>3.1.11</td>
377 <td>Disable·SSH·Support·for·Rhosts·RSA·Authentication</td>390 <td>Set·SSH·Idle·Timeout·Interval</td>
378 <td·xml:lang="en-US">SSH·can·allow·authentication·through·the·obsolete·rsh391 <td·xml:lang="en-US">SSH·allows·administrators·to·set·an·idle·timeout
379 command·through·the·use·of·the·authenticating·user's·SSH·keys.·This·should·be·disabled.392 interval.
 393 After·this·interval·has·passed,·the·idle·user·will·be
 394 automatically·logged·out.
380 <br><br>395 <br><br>
381 To·ensure·this·behavior·is·disabled,·add·or·correct·the396 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as
382 following·line·in·<code>/etc/ssh/sshd_config</code>:397 follows:
383 <pre>RhostsRSAAuthentication·no</pre>398 <pre>ClientAliveInterval·<b>interval</b></pre>
384 </td>399 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout
385 <td·xml:lang="en-US">Configuring·this·setting·for·the·SSH·daemon·provides·additional400 of·10·minutes,·set·<b>interval</b>·to·600.
386 assurance·that·remove·login·via·SSH·will·require·a·password,·even401 <br><br>
387 in·the·event·of·misconfiguration·elsewhere.</td>402 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·
 403 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH
 404 from·correctly·detecting·that·the·user·is·idle.</td>
 405 <td·xml:lang="en-US">Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of
 406 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session
 407 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</td>
388 <td></td>408 <td></td>
389 </tr>409 </tr>
390 <tr>410 <tr>
391 <td>3.1.12</td>411 <td>3.1.12</td>
392 <td>Limit·Users'·SSH·Access</td>412 <td>Limit·Users'·SSH·Access</td>
393 <td·xml:lang="en-US">By·default,·the·SSH·configuration·allows·any·user·with·an·account413 <td·xml:lang="en-US">By·default,·the·SSH·configuration·allows·any·user·with·an·account
394 to·access·the·system.·In·order·to·specify·the·users·that·are·allowed·to·login414 to·access·the·system.·In·order·to·specify·the·users·that·are·allowed·to·login
Offset 481, 26 lines modifiedOffset 501, 14 lines modified
481 RHEL7·can·be·found·at·http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</td>501 RHEL7·can·be·found·at·http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2630.pdf.</td>
482 <td·xml:lang="en-US">DoD·Information·Systems·are·required·to·use·FIPS-approved·cryptographic·hash502 <td·xml:lang="en-US">DoD·Information·Systems·are·required·to·use·FIPS-approved·cryptographic·hash
483 functions.·The·only·SSHv2·hash·algorithms·meeting·this·requirement·is·SHA2.</td>503 functions.·The·only·SSHv2·hash·algorithms·meeting·this·requirement·is·SHA2.</td>
484 <td></td>504 <td></td>
485 </tr>505 </tr>
486 <tr>506 <tr>
487 <td>3.1.12</td>507 <td>3.1.12</td>
488 <td>Do·Not·Allow·SSH·Environment·Options</td> 
489 <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment 
490 options·to·the·SSH·daemon,·add·or·correct·the·following·line 
491 in·<code>/etc/ssh/sshd_config</code>: 
492 <pre>PermitUserEnvironment·no</pre> 
493 </td> 
494 <td·xml:lang="en-US">SSH·environment·options·potentially·allow·users·to·bypass 
495 access·restriction·in·some·configurations.</td> 
496 <td></td> 
497 </tr> 
498 <tr> 
499 <td>3.1.12</td> 
500 <td>Disable·Kerberos·Authentication</td>508 <td>Disable·Kerberos·Authentication</td>
501 <td·xml:lang="en-US">Unless·needed,·SSH·should·not·permit·extraneous·or·unnecessary509 <td·xml:lang="en-US">Unless·needed,·SSH·should·not·permit·extraneous·or·unnecessary
502 authentication·mechanisms·like·Kerberos.·To·disable·Kerberos·authentication,·add510 authentication·mechanisms·like·Kerberos.·To·disable·Kerberos·authentication,·add
503 or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file:511 or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file:
504 <pre>KerberosAuthentication·no</pre>512 <pre>KerberosAuthentication·no</pre>
505 </td>513 </td>
506 <td·xml:lang="en-US">Kerberos·authentication·for·SSH·is·often·implemented·using·GSSAPI.·If·Kerberos514 <td·xml:lang="en-US">Kerberos·authentication·for·SSH·is·often·implemented·using·GSSAPI.·If·Kerberos
Offset 551, 33 lines modifiedOffset 559, 38 lines modified
551 <pre>IgnoreRhosts·yes</pre>559 <pre>IgnoreRhosts·yes</pre>
552 </td>560 </td>
553 <td·xml:lang="en-US">SSH·trust·relationships·mean·a·compromise·on·one·host561 <td·xml:lang="en-US">SSH·trust·relationships·mean·a·compromise·on·one·host
554 can·allow·an·attacker·to·move·trivially·to·other·hosts.</td>562 can·allow·an·attacker·to·move·trivially·to·other·hosts.</td>
555 <td></td>563 <td></td>
556 </tr>564 </tr>
557 <tr>565 <tr>
558 <td>3.1.11</td>566 <td>3.1.12</td>
559 <td>Set·SSH·Idle·Timeout·Interval</td>567 <td>Disable·SSH·Support·for·Rhosts·RSA·Authentication</td>
560 <td·xml:lang="en-US">SSH·allows·administrators·to·set·an·idle·timeout568 <td·xml:lang="en-US">SSH·can·allow·authentication·through·the·obsolete·rsh
561 interval.569 command·through·the·use·of·the·authenticating·user's·SSH·keys.·This·should·be·disabled.
562 After·this·interval·has·passed,·the·idle·user·will·be 
563 automatically·logged·out. 
564 <br><br> 
565 To·set·an·idle·timeout·interval,·edit·the·following·line·in·<code>/etc/ssh/sshd_config</code>·as 
566 follows: 
567 <pre>ClientAliveInterval·<b>interval</b></pre> 
568 The·timeout·<b>interval</b>·is·given·in·seconds.·To·have·a·timeout 
569 of·10·minutes,·set·<b>interval</b>·to·600. 
570 <br><br>570 <br><br>
571 If·a·shorter·timeout·has·already·been·set·for·the·login·shell,·that·value·will·571 To·ensure·this·behavior·is·disabled,·add·or·correct·the
572 preempt·any·SSH·setting·made·here.·Keep·in·mind·that·some·processes·may·stop·SSH572 following·line·in·<code>/etc/ssh/sshd_config</code>:
573 from·correctly·detecting·that·the·user·is·idle.</td>573 <pre>RhostsRSAAuthentication·no</pre>
574 <td·xml:lang="en-US">Terminating·an·idle·ssh·session·within·a·short·time·period·reduces·the·window·of574 </td>
575 opportunity·for·unauthorized·personnel·to·take·control·of·a·management·session575 <td·xml:lang="en-US">Configuring·this·setting·for·the·SSH·daemon·provides·additional
576 enabled·on·the·console·or·console·port·that·has·been·let·unattended.</td>576 assurance·that·remove·login·via·SSH·will·require·a·password,·even
 577 in·the·event·of·misconfiguration·elsewhere.</td>
 578 <td></td>
 579 </tr>
 580 <tr>
 581 <td>3.1.12</td>
 582 <td>Do·Not·Allow·SSH·Environment·Options</td>
 583 <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment
 584 options·to·the·SSH·daemon,·add·or·correct·the·following·line
 585 in·<code>/etc/ssh/sshd_config</code>:
 586 <pre>PermitUserEnvironment·no</pre>
 587 </td>
 588 <td·xml:lang="en-US">SSH·environment·options·potentially·allow·users·to·bypass
Max diff block lines reached; 116489/123219 bytes (94.54%) of diff not shown.
570 KB
./usr/share/doc/ssg-nondebian/table-rhel7-nistrefs.html
Ordering differences only
    
Offset 555, 14 lines modifiedOffset 555, 28 lines modified
555 </td>555 </td>
556 <td·xml:lang="en-US">Using·the·<code>-s</code>·option·causes·the·TFTP·service·to·only·serve·files·from·the556 <td·xml:lang="en-US">Using·the·<code>-s</code>·option·causes·the·TFTP·service·to·only·serve·files·from·the
557 given·directory.·Serving·files·from·an·intentionally-specified·directory557 given·directory.·Serving·files·from·an·intentionally-specified·directory
558 reduces·the·risk·of·sharing·files·which·should·remain·private.</td>558 reduces·the·risk·of·sharing·files·which·should·remain·private.</td>
559 <td></td>559 <td></td>
560 </tr>560 </tr>
561 <tr>561 <tr>
 562 <td>CM-6(b)</td>
 563 <td>Install·tcp_wrappers·Package</td>
 564 <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the
 565 <code>tcp_wrappers</code>·package·should·be·installed.
  
 566 ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command:
 567 ········<pre>$·sudo·yum·install·tcp_wrappers</pre>
 568 </td>
 569 <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture
 570 by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This
 571 prevents·connections·from·unknown·hosts·and·protocols.</td>
 572 <td></td>
 573 </tr>
 574 <tr>
562 <td>AC-17(8)</td>575 <td>AC-17(8)</td>
563 <td>Disable·xinetd·Service</td>576 <td>Disable·xinetd·Service</td>
564 <td·xml:lang="en-US">577 <td·xml:lang="en-US">
565 ············578 ············
566 ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command:579 ········The·<code>xinetd</code>·service·can·be·disabled·with·the·following·command:
567 ········<pre>$·sudo·systemctl·disable·xinetd.service</pre>580 ········<pre>$·sudo·systemctl·disable·xinetd.service</pre>
568 ··········</td>581 ··········</td>
Offset 583, 28 lines modifiedOffset 597, 14 lines modified
583 <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs,597 <td·xml:lang="en-US">The·xinetd·service·provides·a·dedicated·listener·service·for·some·programs,
584 which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling598 which·is·no·longer·necessary·for·commonly-used·network·services.·Disabling
585 it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents599 it·ensures·that·these·uncommon·services·are·not·running,·and·also·prevents
586 attacks·against·xinetd·itself.</td>600 attacks·against·xinetd·itself.</td>
587 <td></td>601 <td></td>
588 </tr>602 </tr>
589 <tr>603 <tr>
590 <td>CM-6(b)</td> 
591 <td>Install·tcp_wrappers·Package</td> 
592 <td·xml:lang="en-US">When·network·services·are·using·the·<code>xinetd</code>·service,·the 
593 <code>tcp_wrappers</code>·package·should·be·installed. 
  
594 ········The·<code>tcp_wrappers</code>·package·can·be·installed·with·the·following·command: 
595 ········<pre>$·sudo·yum·install·tcp_wrappers</pre> 
596 </td> 
597 <td·xml:lang="en-US">Access·control·methods·provide·the·ability·to·enhance·system·security·posture 
598 by·restricting·services·and·known·good·IP·addresses·and·address·ranges.·This 
599 prevents·connections·from·unknown·hosts·and·protocols.</td> 
600 <td></td> 
601 </tr> 
602 <tr> 
603 <td>AC-17(8)</td>604 <td>AC-17(8)</td>
604 <td>Uninstall·xinetd·Package</td>605 <td>Uninstall·xinetd·Package</td>
605 <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command:606 <td·xml:lang="en-US">The·<code>xinetd</code>·package·can·be·uninstalled·with·the·following·command:
606 <pre>$·sudo·yum·erase·xinetd</pre>607 <pre>$·sudo·yum·erase·xinetd</pre>
607 </td>608 </td>
608 <td·xml:lang="en-US">Removing·the·<code>xinetd</code>·package·decreases·the·risk·of·the609 <td·xml:lang="en-US">Removing·the·<code>xinetd</code>·package·decreases·the·risk·of·the
609 xinetd·service's·accidental·(or·intentional)·activation.</td>610 xinetd·service's·accidental·(or·intentional)·activation.</td>
Offset 775, 28 lines modifiedOffset 775, 14 lines modified
775 out·activities·outside·of·a·normal·login·session,·which·could·complicate775 out·activities·outside·of·a·normal·login·session,·which·could·complicate
776 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or776 accountability.·Furthermore,·the·need·to·schedule·tasks·with·<code>at</code>·or
777 <code>batch</code>·is·not·common.</td>777 <code>batch</code>·is·not·common.</td>
778 <td></td>778 <td></td>
779 </tr>779 </tr>
780 <tr>780 <tr>
781 <td>AC-17(8).1(ii)</td>781 <td>AC-17(8).1(ii)</td>
782 <td>Remove·the·X·Windows·Package·Group</td> 
783 <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows 
784 installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode. 
785 This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code> 
786 mode.·To·do·so,·run·the·following·command: 
787 <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> 
788 <pre>$·sudo·yum·remove·xorg-x11-server-common</pre> 
789 </td> 
790 <td·xml:lang="en-US">Unnecessary·service·packages·must·not·be·installed·to·decrease·the·attack·surface·of·the·system.·X·windows·has·a·long·history·of·security 
791 vulnerabilities·and·should·not·be·installed·unless·approved·and·documented.</td> 
792 <td></td> 
793 </tr> 
794 <tr> 
795 <td>AC-17(8).1(ii)</td> 
796 <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td>782 <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td>
797 <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by783 <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by
798 default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system784 default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system
799 into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to785 into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to
800 <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run:786 <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run:
801 <pre>$·systemctl·set-default·multi-user.target</pre>787 <pre>$·systemctl·set-default·multi-user.target</pre>
802 You·should·see·the·following·output:788 You·should·see·the·following·output:
Offset 806, 14 lines modifiedOffset 792, 28 lines modified
806 <td·xml:lang="en-US">Services·that·are·not·required·for·system·and·application·processes792 <td·xml:lang="en-US">Services·that·are·not·required·for·system·and·application·processes
807 must·not·be·active·to·decrease·the·attack·surface·of·the·system.·X·windows·has·a793 must·not·be·active·to·decrease·the·attack·surface·of·the·system.·X·windows·has·a
808 long·history·of·security·vulnerabilities·and·should·not·be·used·unless·approved794 long·history·of·security·vulnerabilities·and·should·not·be·used·unless·approved
809 and·documented.</td>795 and·documented.</td>
810 <td></td>796 <td></td>
811 </tr>797 </tr>
812 <tr>798 <tr>
 799 <td>AC-17(8).1(ii)</td>
 800 <td>Remove·the·X·Windows·Package·Group</td>
 801 <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows
 802 installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode.
 803 This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code>
 804 mode.·To·do·so,·run·the·following·command:
 805 <pre>$·sudo·yum·groupremove·"X·Window·System"</pre>
 806 <pre>$·sudo·yum·remove·xorg-x11-server-common</pre>
 807 </td>
 808 <td·xml:lang="en-US">Unnecessary·service·packages·must·not·be·installed·to·decrease·the·attack·surface·of·the·system.·X·windows·has·a·long·history·of·security
 809 vulnerabilities·and·should·not·be·installed·unless·approved·and·documented.</td>
 810 <td></td>
 811 </tr>
 812 <tr>
813 <td>SC-32</td>813 <td>SC-32</td>
814 <td>Uninstall·quagga·Package</td>814 <td>Uninstall·quagga·Package</td>
815 <td·xml:lang="en-US">815 <td·xml:lang="en-US">
816 ············816 ············
817 ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command:817 ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command:
818 ········<pre>$·sudo·yum·erase·quagga</pre>818 ········<pre>$·sudo·yum·erase·quagga</pre>
819 ··········</td>819 ··········</td>
Offset 924, 39 lines modifiedOffset 924, 49 lines modified
924 <td·xml:lang="en-US">Unnecessary·packages·should·not·be·installed·to·decrease·the·attack924 <td·xml:lang="en-US">Unnecessary·packages·should·not·be·installed·to·decrease·the·attack
925 surface·of·the·system.··While·this·software·is·clearly·essential·on·an·LDAP925 surface·of·the·system.··While·this·software·is·clearly·essential·on·an·LDAP
926 server,·it·is·not·necessary·on·typical·desktop·or·workstation·systems.</td>926 server,·it·is·not·necessary·on·typical·desktop·or·workstation·systems.</td>
927 <td></td>927 <td></td>
928 </tr>928 </tr>
929 <tr>929 <tr>
930 <td>AC-17(2)</td>930 <td>AC-17(2)</td>
931 <td>Enable·the·LDAP·Client·For·Use·in·Authconfig</td>931 <td>Configure·LDAP·Client·to·Use·TLS·For·All·Transactions</td>
932 <td·xml:lang="en-US">To·determine·if·LDAP·is·being·used·for·authentication,·use·the·following932 <td·xml:lang="en-US">This·check·verifies·that·RHEL7·implements·cryptography
 933 to·protect·the·integrity·of·remote·LDAP·authentication·sessions.
 934 <br><br>
Max diff block lines reached; 577257/583448 bytes (98.94%) of diff not shown.
42.3 KB
./usr/share/doc/ssg-nondebian/table-rhel7-pcidssrefs.html
Ordering differences only
    
Offset 191, 23 lines modifiedOffset 191, 28 lines modified
191 real-time·screen·display·(such·as·network·management·products)·require·the191 real-time·screen·display·(such·as·network·management·products)·require·the
192 login·session·does·not·have·administrator·rights·and·the·display·station·is·located·in·a192 login·session·does·not·have·administrator·rights·and·the·display·station·is·located·in·a
193 controlled-access·area.</td>193 controlled-access·area.</td>
194 <td></td>194 <td></td>
195 </tr>195 </tr>
196 <tr>196 <tr>
197 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td>197 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td>
198 <td>Ensure·Users·Cannot·Change·GNOME3·Screensaver·Idle·Activation</td>198 <td>Implement·Blank·Screensaver</td>
199 <td·xml:lang="en-US">If·not·already·configured,·ensure·that·users·cannot·change·GNOME3·screensaver·lock·settings199 <td·xml:lang="en-US">To·set·the·screensaver·mode·in·the·GNOME3·desktop·to·a·blank·screen,
200 by·adding·<pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>200 add·or·set·<code>picture-uri</code>·to·<code>string·''</code>·in
201 to·<code>/etc/dconf/db/local.d/00-security-settings</code>.201 <code>/etc/dconf/db/local.d/00-security-settings</code>.·For·example:
 202 <pre>[org/gnome/desktop/screensaver]
 203 picture-uri=string·''
 204 </pre>
 205 Once·the·settings·have·been·added,·add·a·lock·to
 206 <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification.
202 For·example:207 For·example:
203 <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>208 <pre>/org/gnome/desktop/screensaver/picture-uri</pre>
204 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td>209 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td>
205 <td·xml:lang="en-US">A·session·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from·the·immediate·physical·vicinity210 <td·xml:lang="en-US">Setting·the·screensaver·mode·to·blank-only·conceals·the
206 of·the·information·system·but·does·not·want·to·logout·because·of·the·temporary·nature·of·the·absense.</td>211 contents·of·the·display·from·passersby.</td>
207 <td></td>212 <td></td>
208 </tr>213 </tr>
209 <tr>214 <tr>
210 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td>215 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td>
211 <td>Set·GNOME3·Screensaver·Inactivity·Timeout</td>216 <td>Set·GNOME3·Screensaver·Inactivity·Timeout</td>
212 <td·xml:lang="en-US">The·idle·time-out·value·for·inactivity·in·the·GNOME3·desktop·is·configured·via·the·<code>idle-delay</code>217 <td·xml:lang="en-US">The·idle·time-out·value·for·inactivity·in·the·GNOME3·desktop·is·configured·via·the·<code>idle-delay</code>
213 setting·must·be·set·under·an·appropriate·configuration·file(s)·in·the·<code>/etc/dconf/db/local.d</code>·directory218 setting·must·be·set·under·an·appropriate·configuration·file(s)·in·the·<code>/etc/dconf/db/local.d</code>·directory
Offset 240, 28 lines modifiedOffset 245, 23 lines modified
240 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td>245 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td>
241 <td·xml:lang="en-US">A·session·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from·the·immediate·physical·vicinity246 <td·xml:lang="en-US">A·session·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from·the·immediate·physical·vicinity
242 of·the·information·system·but·does·not·want·to·logout·because·of·the·temporary·nature·of·the·absense.</td>247 of·the·information·system·but·does·not·want·to·logout·because·of·the·temporary·nature·of·the·absense.</td>
243 <td></td>248 <td></td>
244 </tr>249 </tr>
245 <tr>250 <tr>
246 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td>251 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td>
247 <td>Implement·Blank·Screensaver</td>252 <td>Ensure·Users·Cannot·Change·GNOME3·Screensaver·Idle·Activation</td>
248 <td·xml:lang="en-US">To·set·the·screensaver·mode·in·the·GNOME3·desktop·to·a·blank·screen,253 <td·xml:lang="en-US">If·not·already·configured,·ensure·that·users·cannot·change·GNOME3·screensaver·lock·settings
249 add·or·set·<code>picture-uri</code>·to·<code>string·''</code>·in254 by·adding·<pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>
250 <code>/etc/dconf/db/local.d/00-security-settings</code>.·For·example:255 to·<code>/etc/dconf/db/local.d/00-security-settings</code>.
251 <pre>[org/gnome/desktop/screensaver] 
252 picture-uri=string·'' 
253 </pre> 
254 Once·the·settings·have·been·added,·add·a·lock·to 
255 <code>/etc/dconf/db/local.d/locks/00-security-settings-lock</code>·to·prevent·user·modification. 
256 For·example:256 For·example:
257 <pre>/org/gnome/desktop/screensaver/picture-uri</pre>257 <pre>/org/gnome/desktop/screensaver/idle-activation-enabled</pre>
258 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td>258 After·the·settings·have·been·set,·run·<code>dconf·update</code>.</td>
259 <td·xml:lang="en-US">Setting·the·screensaver·mode·to·blank-only·conceals·the259 <td·xml:lang="en-US">A·session·lock·is·a·temporary·action·taken·when·a·user·stops·work·and·moves·away·from·the·immediate·physical·vicinity
260 contents·of·the·display·from·passersby.</td>260 of·the·information·system·but·does·not·want·to·logout·because·of·the·temporary·nature·of·the·absense.</td>
261 <td></td>261 <td></td>
262 </tr>262 </tr>
263 <tr>263 <tr>
264 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td>264 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=64">Req-8.1.8</a></td>
265 <td>Enable·GNOME3·Screensaver·Lock·After·Idle·Period</td>265 <td>Enable·GNOME3·Screensaver·Lock·After·Idle·Period</td>
266 <td·xml:lang="en-US">To·activate·locking·of·the·screensaver·in·the·GNOME3·desktop·when·it·is·activated,266 <td·xml:lang="en-US">To·activate·locking·of·the·screensaver·in·the·GNOME3·desktop·when·it·is·activated,
267 add·or·set·<code>lock-enabled</code>·to·<code>true</code>·in267 add·or·set·<code>lock-enabled</code>·to·<code>true</code>·in
Offset 931, 35 lines modifiedOffset 931, 14 lines modified
931 </td>931 </td>
932 <td·xml:lang="en-US">Manual·editing·of·these·files·may·indicate·nefarious·activity,·such932 <td·xml:lang="en-US">Manual·editing·of·these·files·may·indicate·nefarious·activity,·such
933 as·an·attacker·attempting·to·remove·evidence·of·an·intrusion.</td>933 as·an·attacker·attempting·to·remove·evidence·of·an·intrusion.</td>
934 <td></td>934 <td></td>
935 </tr>935 </tr>
936 <tr>936 <tr>
937 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td>937 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td>
938 <td>Record·Attempts·to·Alter·the·localtime·File</td> 
939 <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the 
940 <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the·default), 
941 add·the·following·line·to·a·file·with·suffix·<code>.rules</code>·in·the·directory 
942 <code>/etc/audit/rules.d</code>: 
943 <pre>-w·/etc/localtime·-p·wa·-k·audit_time_rules</pre> 
944 If·the·<code>auditd</code>·daemon·is·configured·to·use·the·<code>auditctl</code> 
945 utility·to·read·audit·rules·during·daemon·startup,·add·the·following·line·to 
946 <code>/etc/audit/audit.rules</code>·file: 
947 <pre>-w·/etc/localtime·-p·wa·-k·audit_time_rules</pre> 
948 The·-k·option·allows·for·the·specification·of·a·key·in·string·form·that·can 
949 be·used·for·better·reporting·capability·through·ausearch·and·aureport·and 
950 should·always·be·used.</td> 
951 <td·xml:lang="en-US">Arbitrary·changes·to·the·system·time·can·be·used·to·obfuscate 
952 nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that 
953 are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes 
954 to·the·system·time·should·be·audited.</td> 
955 <td></td> 
956 </tr> 
957 <tr> 
958 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td> 
959 <td>Record·Attempts·to·Alter·Time·Through·stime</td>938 <td>Record·Attempts·to·Alter·Time·Through·stime</td>
960 <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the939 <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the
961 <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the940 <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the
962 default),·add·the·following·line·to·a·file·with·suffix·<code>.rules</code>·in·the941 default),·add·the·following·line·to·a·file·with·suffix·<code>.rules</code>·in·the
963 directory·<code>/etc/audit/rules.d</code>·for·both·32·bit·and·64·bit·systems:942 directory·<code>/etc/audit/rules.d</code>·for·both·32·bit·and·64·bit·systems:
964 <pre>-a·always,exit·-F·arch=b32·-S·stime·-F·key=audit_time_rules</pre>943 <pre>-a·always,exit·-F·arch=b32·-S·stime·-F·key=audit_time_rules</pre>
965 Since·the·64·bit·version·of·the·"stime"·system·call·is·not·defined·in·the·audit944 Since·the·64·bit·version·of·the·"stime"·system·call·is·not·defined·in·the·audit
Offset 984, 34 lines modifiedOffset 963, 27 lines modified
984 nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that963 nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that
985 are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes964 are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes
986 to·the·system·time·should·be·audited.</td>965 to·the·system·time·should·be·audited.</td>
987 <td></td>966 <td></td>
988 </tr>967 </tr>
989 <tr>968 <tr>
990 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td>969 <td><a·href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf#page=82">Req-10.4.2.b</a></td>
991 <td>Record·attempts·to·alter·time·through·adjtimex</td>970 <td>Record·Attempts·to·Alter·the·localtime·File</td>
992 <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the971 <td·xml:lang="en-US">If·the·<code>auditd</code>·daemon·is·configured·to·use·the
993 <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the972 <code>augenrules</code>·program·to·read·audit·rules·during·daemon·startup·(the·default),
994 default),·add·the·following·line·to·a·file·with·suffix·<code>.rules</code>·in·the973 add·the·following·line·to·a·file·with·suffix·<code>.rules</code>·in·the·directory
995 directory·<code>/etc/audit/rules.d</code>:974 <code>/etc/audit/rules.d</code>:
996 <pre>-a·always,exit·-F·arch=b32·-S·adjtimex·-F·key=audit_time_rules</pre>975 <pre>-w·/etc/localtime·-p·wa·-k·audit_time_rules</pre>
997 If·the·system·is·64·bit·then·also·add·the·following·line: 
998 <pre>-a·always,exit·-F·arch=b64·-S·adjtimex·-F·key=audit_time_rules</pre> 
999 If·the·<code>auditd</code>·daemon·is·configured·to·use·the·<code>auditctl</code>976 If·the·<code>auditd</code>·daemon·is·configured·to·use·the·<code>auditctl</code>
1000 utility·to·read·audit·rules·during·daemon·startup,·add·the·following·line·to977 utility·to·read·audit·rules·during·daemon·startup,·add·the·following·line·to
1001 <code>/etc/audit/audit.rules</code>·file:978 <code>/etc/audit/audit.rules</code>·file:
1002 <pre>-a·always,exit·-F·arch=b32·-S·adjtimex·-F·key=audit_time_rules</pre>979 <pre>-w·/etc/localtime·-p·wa·-k·audit_time_rules</pre>
1003 If·the·system·is·64·bit·then·also·add·the·following·line:980 The·-k·option·allows·for·the·specification·of·a·key·in·string·form·that·can
1004 <pre>-a·always,exit·-F·arch=b64·-S·adjtimex·-F·key=audit_time_rules</pre>981 be·used·for·better·reporting·capability·through·ausearch·and·aureport·and
1005 The·-k·option·allows·for·the·specification·of·a·key·in·string·form·that·can·be982 should·always·be·used.</td>
1006 used·for·better·reporting·capability·through·ausearch·and·aureport.·Multiple 
1007 system·calls·can·be·defined·on·the·same·line·to·save·space·if·desired,·but·is 
1008 not·required.·See·an·example·of·multiple·combined·syscalls: 
1009 <pre>-a·always,exit·-F·arch=b64·-S·adjtimex,settimeofday·-F·key=audit_time_rules</pre> 
1010 </td> 
1011 <td·xml:lang="en-US">Arbitrary·changes·to·the·system·time·can·be·used·to·obfuscate983 <td·xml:lang="en-US">Arbitrary·changes·to·the·system·time·can·be·used·to·obfuscate
1012 nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that984 nefarious·activities·in·log·files,·as·well·as·to·confuse·network·services·that
1013 are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes985 are·highly·dependent·upon·an·accurate·system·time·(such·as·sshd).·All·changes
1014 to·the·system·time·should·be·audited.</td>986 to·the·system·time·should·be·audited.</td>
1015 <td></td>987 <td></td>
1016 </tr>988 </tr>
Max diff block lines reached; 34119/43183 bytes (79.01%) of diff not shown.
1.44 MB
./usr/share/doc/ssg-nondebian/table-rhel7-srgmap-flat.html
Ordering differences only
    
Offset 175, 30 lines modifiedOffset 175, 14 lines modified
175 <td></td>175 <td></td>
176 </tr>176 </tr>
177 <tr>177 <tr>
178 <td>SRG-OS-000480-GPOS-00232</td>178 <td>SRG-OS-000480-GPOS-00232</td>
179 <td>CCI-000366</td>179 <td>CCI-000366</td>
180 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>180 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>
181 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>181 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>
182 <td>package_xorg-x11-server-common_removed</td> 
183 <td>Remove·the·X·Windows·Package·Group</td> 
184 <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows 
185 installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode. 
186 This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code> 
187 mode.·To·do·so,·run·the·following·command: 
188 <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> 
189 <pre>$·sudo·yum·remove·xorg-x11-server-common</pre> 
190 </td> 
191 <td></td> 
192 </tr> 
193 <tr> 
194 <td>SRG-OS-000480-GPOS-00232</td> 
195 <td>CCI-000366</td> 
196 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> 
197 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> 
198 <td>xwindows_runlevel_setting</td>182 <td>xwindows_runlevel_setting</td>
199 <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td>183 <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td>
200 <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by184 <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by
201 default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system185 default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system
202 into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to186 into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to
203 <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run:187 <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run:
204 <pre>$·systemctl·set-default·multi-user.target</pre>188 <pre>$·systemctl·set-default·multi-user.target</pre>
Offset 209, 14 lines modifiedOffset 193, 30 lines modified
209 <td></td>193 <td></td>
210 </tr>194 </tr>
211 <tr>195 <tr>
212 <td>SRG-OS-000480-GPOS-00232</td>196 <td>SRG-OS-000480-GPOS-00232</td>
213 <td>CCI-000366</td>197 <td>CCI-000366</td>
214 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>198 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>
215 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>199 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>
 200 <td>package_xorg-x11-server-common_removed</td>
 201 <td>Remove·the·X·Windows·Package·Group</td>
 202 <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows
 203 installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode.
 204 This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code>
 205 mode.·To·do·so,·run·the·following·command:
 206 <pre>$·sudo·yum·groupremove·"X·Window·System"</pre>
 207 <pre>$·sudo·yum·remove·xorg-x11-server-common</pre>
 208 </td>
 209 <td></td>
 210 </tr>
 211 <tr>
 212 <td>SRG-OS-000480-GPOS-00232</td>
 213 <td>CCI-000366</td>
 214 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>
 215 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>
216 <td>package_quagga_removed</td>216 <td>package_quagga_removed</td>
217 <td>Uninstall·quagga·Package</td>217 <td>Uninstall·quagga·Package</td>
218 <td·xml:lang="en-US">218 <td·xml:lang="en-US">
219 ············219 ············
220 ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command:220 ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command:
221 ········<pre>$·sudo·yum·erase·quagga</pre>221 ········<pre>$·sudo·yum·erase·quagga</pre>
222 ··········</td>222 ··········</td>
Offset 437, 14 lines modifiedOffset 437, 29 lines modified
437 <td></td>437 <td></td>
438 </tr>438 </tr>
439 <tr>439 <tr>
440 <td>SRG-OS-000480-GPOS-00232</td>440 <td>SRG-OS-000480-GPOS-00232</td>
441 <td>CCI-000366</td>441 <td>CCI-000366</td>
442 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>442 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>
443 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>443 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>
 444 <td>sshd_enable_strictmodes</td>
 445 <td>Enable·Use·of·Strict·Mode·Checking</td>
 446 <td·xml:lang="en-US">SSHs·StrictModes·option·checks·file·and·ownership·permissions·in
 447 the·user's·home·directory·<code>.ssh</code>·folder·before·accepting·login.·If·world-
 448 writable·permissions·are·found,·logon·is·rejected.·To·enable·StrictModes·in·SSH,
 449 add·or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file:
 450 <pre>StrictModes·yes</pre>
 451 </td>
 452 <td></td>
 453 </tr>
 454 <tr>
 455 <td>SRG-OS-000480-GPOS-00232</td>
 456 <td>CCI-000366</td>
 457 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>
 458 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>
444 <td>sshd_disable_user_known_hosts</td>459 <td>sshd_disable_user_known_hosts</td>
445 <td>Disable·SSH·Support·for·User·Known·Hosts</td>460 <td>Disable·SSH·Support·for·User·Known·Hosts</td>
446 <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect461 <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect
447 to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available.462 to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available.
448 This·should·be·disabled.463 This·should·be·disabled.
449 <br><br>464 <br><br>
450 To·ensure·this·behavior·is·disabled,·add·or·correct·the465 To·ensure·this·behavior·is·disabled,·add·or·correct·the
Offset 470, 44 lines modifiedOffset 485, 14 lines modified
470 <td></td>485 <td></td>
471 </tr>486 </tr>
472 <tr>487 <tr>
473 <td>SRG-OS-000480-GPOS-00232</td>488 <td>SRG-OS-000480-GPOS-00232</td>
474 <td>CCI-000366</td>489 <td>CCI-000366</td>
475 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>490 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td>
476 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>491 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td>
477 <td>sshd_disable_rhosts_rsa</td> 
478 <td>Disable·SSH·Support·for·Rhosts·RSA·Authentication</td> 
479 <td·xml:lang="en-US">SSH·can·allow·authentication·through·the·obsolete·rsh 
480 command·through·the·use·of·the·authenticating·user's·SSH·keys.·This·should·be·disabled. 
481 <br><br> 
482 To·ensure·this·behavior·is·disabled,·add·or·correct·the 
483 following·line·in·<code>/etc/ssh/sshd_config</code>: 
484 <pre>RhostsRSAAuthentication·no</pre> 
485 </td> 
486 <td></td> 
487 </tr> 
488 <tr> 
489 <td>SRG-OS-000480-GPOS-00232</td> 
490 <td>CCI-000366</td> 
491 <td>The·operating·system·must·enable·an·application·firewall,·if·available.</td> 
492 <td>Firewalls·protect·computers·from·network·attacks·by·blocking·or·limiting·access·to·open·network·ports.·Application·firewalls·limit·which·applications·are·allowed·to·communicate·over·the·network.</td> 
493 <td>sshd_do_not_permit_user_env</td> 
494 <td>Do·Not·Allow·SSH·Environment·Options</td> 
495 <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment 
496 options·to·the·SSH·daemon,·add·or·correct·the·following·line 
497 in·<code>/etc/ssh/sshd_config</code>: 
498 <pre>PermitUserEnvironment·no</pre> 
499 </td> 
500 <td></td> 
501 </tr> 
502 <tr> 
503 <td>SRG-OS-000480-GPOS-00232</td> 
504 <td>CCI-000366</td> 
Max diff block lines reached; 1501824/1508677 bytes (99.55%) of diff not shown.
971 KB
./usr/share/doc/ssg-nondebian/table-rhel7-srgmap.html
Ordering differences only
    
Offset 126, 36 lines modifiedOffset 126, 36 lines modified
126 <td·xml:lang="en-US">If·<code>/etc/cron.allow</code>·exists,·it·must·be·owned·by·<code>root</code>.126 <td·xml:lang="en-US">If·<code>/etc/cron.allow</code>·exists,·it·must·be·owned·by·<code>root</code>.
  
127 ····To·properly·set·the·owner·of·<code>/etc/cron.allow</code>,·run·the·command:127 ····To·properly·set·the·owner·of·<code>/etc/cron.allow</code>,·run·the·command:
128 ····<pre·xml:space="preserve">$·sudo·chown·root·/etc/cron.allow·</pre>128 ····<pre·xml:space="preserve">$·sudo·chown·root·/etc/cron.allow·</pre>
129 </td>129 </td>
130 </tr></table>130 </tr></table>
131 <table><tr>131 <table><tr>
132 <td>Remove·the·X·Windows·Package·Group</td> 
133 <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows 
134 installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode. 
135 This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code> 
136 mode.·To·do·so,·run·the·following·command: 
137 <pre>$·sudo·yum·groupremove·"X·Window·System"</pre> 
138 <pre>$·sudo·yum·remove·xorg-x11-server-common</pre> 
139 </td> 
140 </tr></table> 
141 <table><tr> 
142 <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td>132 <td>Disable·X·Windows·Startup·By·Setting·Default·Target</td>
143 <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by133 <td·xml:lang="en-US">Systems·that·do·not·require·a·graphical·user·interface·should·only·boot·by
144 default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system134 default·into·<code>multi-user.target</code>·mode.·This·prevents·accidental·booting·of·the·system
145 into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to135 into·a·<code>graphical.target</code>·mode.·Setting·the·system's·default·target·to
146 <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run:136 <code>multi-user.target</code>·will·prevent·automatic·startup·of·the·X·server.·To·do·so,·run:
147 <pre>$·systemctl·set-default·multi-user.target</pre>137 <pre>$·systemctl·set-default·multi-user.target</pre>
148 You·should·see·the·following·output:138 You·should·see·the·following·output:
149 <pre>rm·'/etc/systemd/system/default.target'139 <pre>rm·'/etc/systemd/system/default.target'
150 ln·-s·'/usr/lib/systemd/system/multi-user.target'·'/etc/systemd/system/default.target'</pre>140 ln·-s·'/usr/lib/systemd/system/multi-user.target'·'/etc/systemd/system/default.target'</pre>
151 </td>141 </td>
152 </tr></table>142 </tr></table>
153 <table><tr>143 <table><tr>
 144 <td>Remove·the·X·Windows·Package·Group</td>
 145 <td·xml:lang="en-US">By·removing·the·xorg-x11-server-common·package,·the·system·no·longer·has·X·Windows
 146 installed.·If·X·Windows·is·not·installed·then·the·system·cannot·boot·into·graphical·user·mode.
 147 This·prevents·the·system·from·being·accidentally·or·maliciously·booted·into·a·<code>graphical.target</code>
 148 mode.·To·do·so,·run·the·following·command:
 149 <pre>$·sudo·yum·groupremove·"X·Window·System"</pre>
 150 <pre>$·sudo·yum·remove·xorg-x11-server-common</pre>
 151 </td>
 152 </tr></table>
 153 <table><tr>
154 <td>Uninstall·quagga·Package</td>154 <td>Uninstall·quagga·Package</td>
155 <td·xml:lang="en-US">155 <td·xml:lang="en-US">
156 ············156 ············
157 ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command:157 ········The·<code>quagga</code>·package·can·be·removed·with·the·following·command:
158 ········<pre>$·sudo·yum·erase·quagga</pre>158 ········<pre>$·sudo·yum·erase·quagga</pre>
159 ··········</td>159 ··········</td>
160 </tr></table>160 </tr></table>
Offset 286, 14 lines modifiedOffset 286, 23 lines modified
286 <td·xml:lang="en-US">286 <td·xml:lang="en-US">
287 ············287 ············
288 ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command:288 ········The·<code>avahi-daemon</code>·service·can·be·disabled·with·the·following·command:
289 ········<pre>$·sudo·systemctl·disable·avahi-daemon.service</pre>289 ········<pre>$·sudo·systemctl·disable·avahi-daemon.service</pre>
290 ··········</td>290 ··········</td>
291 </tr></table>291 </tr></table>
292 <table><tr>292 <table><tr>
 293 <td>Enable·Use·of·Strict·Mode·Checking</td>
 294 <td·xml:lang="en-US">SSHs·StrictModes·option·checks·file·and·ownership·permissions·in
 295 the·user's·home·directory·<code>.ssh</code>·folder·before·accepting·login.·If·world-
 296 writable·permissions·are·found,·logon·is·rejected.·To·enable·StrictModes·in·SSH,
 297 add·or·correct·the·following·line·in·the·<code>/etc/ssh/sshd_config</code>·file:
 298 <pre>StrictModes·yes</pre>
 299 </td>
 300 </tr></table>
 301 <table><tr>
293 <td>Disable·SSH·Support·for·User·Known·Hosts</td>302 <td>Disable·SSH·Support·for·User·Known·Hosts</td>
294 <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect303 <td·xml:lang="en-US">SSH·can·allow·system·users·user·host-based·authentication·to·connect
295 to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available.304 to·systems·if·a·cache·of·the·remote·systems·public·keys·are·available.
296 This·should·be·disabled.305 This·should·be·disabled.
297 <br><br>306 <br><br>
298 To·ensure·this·behavior·is·disabled,·add·or·correct·the307 To·ensure·this·behavior·is·disabled,·add·or·correct·the
299 following·line·in·<code>/etc/ssh/sshd_config</code>:308 following·line·in·<code>/etc/ssh/sshd_config</code>:
Offset 307, 32 lines modifiedOffset 316, 14 lines modified
307 <br>316 <br>
308 <pre>PermitEmptyPasswords·no</pre>317 <pre>PermitEmptyPasswords·no</pre>
309 <br>318 <br>
310 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration319 Any·accounts·with·empty·passwords·should·be·disabled·immediately,·and·PAM·configuration
311 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</td>320 should·prevent·users·from·being·able·to·assign·themselves·empty·passwords.</td>
312 </tr></table>321 </tr></table>
313 <table><tr>322 <table><tr>
314 <td>Disable·SSH·Support·for·Rhosts·RSA·Authentication</td> 
315 <td·xml:lang="en-US">SSH·can·allow·authentication·through·the·obsolete·rsh 
316 command·through·the·use·of·the·authenticating·user's·SSH·keys.·This·should·be·disabled. 
317 <br><br> 
318 To·ensure·this·behavior·is·disabled,·add·or·correct·the 
319 following·line·in·<code>/etc/ssh/sshd_config</code>: 
320 <pre>RhostsRSAAuthentication·no</pre> 
321 </td> 
322 </tr></table> 
323 <table><tr> 
324 <td>Do·Not·Allow·SSH·Environment·Options</td> 
325 <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment 
326 options·to·the·SSH·daemon,·add·or·correct·the·following·line 
327 in·<code>/etc/ssh/sshd_config</code>: 
328 <pre>PermitUserEnvironment·no</pre> 
329 </td> 
330 </tr></table> 
331 <table><tr> 
332 <td>Allow·Only·SSH·Protocol·2</td>323 <td>Allow·Only·SSH·Protocol·2</td>
333 <td·xml:lang="en-US">Only·SSH·protocol·version·2·connections·should·be324 <td·xml:lang="en-US">Only·SSH·protocol·version·2·connections·should·be
334 permitted.·The·default·setting·in325 permitted.·The·default·setting·in
335 <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be326 <code>/etc/ssh/sshd_config</code>·is·correct,·and·can·be
336 verified·by·ensuring·that·the·following327 verified·by·ensuring·that·the·following
337 line·appears:328 line·appears:
338 <pre>Protocol·2</pre>329 <pre>Protocol·2</pre>
Offset 346, 14 lines modifiedOffset 337, 32 lines modified
346 <br><br>337 <br><br>
347 To·ensure·this·behavior·is·disabled,·add·or·correct·the338 To·ensure·this·behavior·is·disabled,·add·or·correct·the
348 following·line·in·<code>/etc/ssh/sshd_config</code>:339 following·line·in·<code>/etc/ssh/sshd_config</code>:
349 <pre>IgnoreRhosts·yes</pre>340 <pre>IgnoreRhosts·yes</pre>
350 </td>341 </td>
351 </tr></table>342 </tr></table>
352 <table><tr>343 <table><tr>
 344 <td>Disable·SSH·Support·for·Rhosts·RSA·Authentication</td>
 345 <td·xml:lang="en-US">SSH·can·allow·authentication·through·the·obsolete·rsh
 346 command·through·the·use·of·the·authenticating·user's·SSH·keys.·This·should·be·disabled.
 347 <br><br>
 348 To·ensure·this·behavior·is·disabled,·add·or·correct·the
 349 following·line·in·<code>/etc/ssh/sshd_config</code>:
 350 <pre>RhostsRSAAuthentication·no</pre>
 351 </td>
 352 </tr></table>
 353 <table><tr>
 354 <td>Do·Not·Allow·SSH·Environment·Options</td>
 355 <td·xml:lang="en-US">To·ensure·users·are·not·able·to·override·environment
 356 options·to·the·SSH·daemon,·add·or·correct·the·following·line
 357 in·<code>/etc/ssh/sshd_config</code>:
 358 <pre>PermitUserEnvironment·no</pre>
 359 </td>
Max diff block lines reached; 988704/994325 bytes (99.43%) of diff not shown.
87.3 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-C2S.yml
    
Offset 43, 57 lines modifiedOffset 43, 58 lines modified
43 ··········43 ··········
44 ···vars:44 ···vars:
45 ······sshd_idle_timeout_value:·30045 ······sshd_idle_timeout_value:·300
46 ······rsyslog_remote_loghost_address:·None46 ······rsyslog_remote_loghost_address:·None
47 ······sysctl_net_ipv6_conf_default_accept_ra_value:·047 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
48 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·048 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·049 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
50 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·150 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
51 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·051 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
52 ······sysctl_net_ipv4_conf_default_rp_filter_value:·152 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
53 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·153 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
54 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·154 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
55 ······sysctl_net_ipv4_tcp_syncookies_value:·155 ······sysctl_net_ipv4_tcp_syncookies_value:·1
56 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·056 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
57 ······sysctl_net_ipv4_conf_all_log_martians_value:·057 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
58 ······sysctl_net_ipv4_conf_all_rp_filter_value:·158 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
59 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·159 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
60 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·060 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
61 ······var_selinux_policy_name:·targeted61 ······var_selinux_policy_name:·targeted
62 ······var_selinux_state:·enforcing62 ······var_selinux_state:·enforcing
63 ······var_accounts_minimum_age_login_defs:·1 
64 ······var_accounts_maximum_age_login_defs:·90 
65 ······var_accounts_password_warn_age_login_defs:·763 ······var_accounts_password_warn_age_login_defs:·7
 64 ······var_accounts_maximum_age_login_defs:·90
 65 ······var_accounts_minimum_age_login_defs:·1
66 ······var_account_disable_post_pw_expiration:·3566 ······var_account_disable_post_pw_expiration:·35
67 ······var_password_pam_unix_remember:·067 ······var_password_pam_unix_remember:·0
68 ······var_accounts_passwords_pam_faillock_deny:·368 ······var_accounts_passwords_pam_faillock_deny:·3
69 ······var_accounts_passwords_pam_faillock_unlock_time:·60480069 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
70 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000070 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
 71 ······var_removable_partition:·/dev/cdrom
 72 ······var_removable_partition:·/dev/cdrom
 73 ······var_removable_partition:·/dev/cdrom
71 ······var_auditd_max_log_file:·174 ······var_auditd_max_log_file:·1
72 ······var_auditd_action_mail_acct:·admin75 ······var_auditd_action_mail_acct:·admin
73 ······var_auditd_space_left_action:·suspend 
74 ······var_auditd_admin_space_left_action:·suspend76 ······var_auditd_admin_space_left_action:·suspend
 77 ······var_auditd_space_left_action:·suspend
75 ······var_auditd_max_log_file_action:·ignore78 ······var_auditd_max_log_file_action:·ignore
76 ······var_removable_partition:·/dev/cdrom 
77 ······var_removable_partition:·/dev/cdrom 
78 ······var_removable_partition:·/dev/cdrom 
79 ···tasks:79 ···tasks:
80 ····-·name:·Ensure·samba·is·removed80 ····-·name:·Ensure·vsftpd·is·removed
81 ······package:81 ······package:
82 ········name="{{item}}"82 ········name="{{item}}"
83 ········state=absent83 ········state=absent
84 ······with_items:84 ······with_items:
85 ········-·samba85 ········-·vsftpd
86 ······tags:86 ······tags:
87 ········-·package_samba_removed87 ········-·package_vsftpd_removed
88 ········-·unknown_severity88 ········-·unknown_severity
89 ········-·disable_strategy89 ········-·disable_strategy
90 ········-·low_complexity90 ········-·low_complexity
91 ········-·low_disruption91 ········-·low_disruption
92 ········-·CCE-27102-392 ········-·CCE-26687-4
 93 ········-·NIST-800-53-CM-7
93 ····94 ····
94 ····-·name:·Ensure·httpd·is·removed95 ····-·name:·Ensure·httpd·is·removed
95 ······package:96 ······package:
96 ········name="{{item}}"97 ········name="{{item}}"
97 ········state=absent98 ········state=absent
98 ······with_items:99 ······with_items:
99 ········-·httpd100 ········-·httpd
Offset 102, 29 lines modifiedOffset 103, 43 lines modified
102 ········-·unknown_severity103 ········-·unknown_severity
103 ········-·disable_strategy104 ········-·disable_strategy
104 ········-·low_complexity105 ········-·low_complexity
105 ········-·low_disruption106 ········-·low_disruption
106 ········-·CCE-27133-8107 ········-·CCE-27133-8
107 ········-·NIST-800-53-CM-7108 ········-·NIST-800-53-CM-7
108 ····109 ····
109 ····-·name:·Ensure·dhcp·is·removed110 ····-·name:·Ensure·bind·is·removed
110 ······package:111 ······package:
111 ········name="{{item}}"112 ········name="{{item}}"
112 ········state=absent113 ········state=absent
113 ······with_items:114 ······with_items:
114 ········-·dhcp115 ········-·bind
115 ······tags:116 ······tags:
116 ········-·package_dhcp_removed117 ········-·package_bind_removed
117 ········-·medium_severity118 ········-·unknown_severity
118 ········-·disable_strategy119 ········-·disable_strategy
119 ········-·low_complexity120 ········-·low_complexity
120 ········-·low_disruption121 ········-·low_disruption
121 ········-·CCE-27120-5122 ········-·CCE-27030-6
122 ········-·NIST-800-53-CM-7123 ········-·NIST-800-53-CM-7
123 ····124 ····
 125 ····-·name:·Ensure·samba·is·removed
 126 ······package:
 127 ········name="{{item}}"
 128 ········state=absent
 129 ······with_items:
 130 ········-·samba
 131 ······tags:
 132 ········-·package_samba_removed
 133 ········-·unknown_severity
 134 ········-·disable_strategy
 135 ········-·low_complexity
 136 ········-·low_disruption
 137 ········-·CCE-27102-3
 138 ····
124 ····-·name:·Enable·service·ntpd139 ····-·name:·Enable·service·ntpd
125 ······service:140 ······service:
126 ········name="{{item}}"141 ········name="{{item}}"
127 ········enabled="yes"142 ········enabled="yes"
128 ········state="started"143 ········state="started"
129 ······with_items:144 ······with_items:
130 ········-·ntpd145 ········-·ntpd
Offset 135, 45 lines modifiedOffset 150, 94 lines modified
135 ········-·low_complexity150 ········-·low_complexity
136 ········-·low_disruption151 ········-·low_disruption
137 ········-·CCE-27093-4152 ········-·CCE-27093-4
138 ········-·NIST-800-53-AU-8(1)153 ········-·NIST-800-53-AU-8(1)
139 ········-·PCI-DSS-Req-10.4154 ········-·PCI-DSS-Req-10.4
140 ········-·DISA-STIG-RHEL-06-000247155 ········-·DISA-STIG-RHEL-06-000247
141 ····156 ····
142 ····-·name:·Disable·service·cups157 ····-·name:·Ensure·openldap-servers·is·removed
 158 ······package:
 159 ········name="{{item}}"
 160 ········state=absent
 161 ······with_items:
 162 ········-·openldap-servers
 163 ······tags:
 164 ········-·package_openldap-servers_removed
 165 ········-·unknown_severity
 166 ········-·disable_strategy
 167 ········-·low_complexity
Max diff block lines reached; 83773/89246 bytes (93.87%) of diff not shown.
177 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-CS2.yml
    
Offset 33, 88 lines modifiedOffset 33, 75 lines modified
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······rsyslog_remote_loghost_address:·None36 ······rsyslog_remote_loghost_address:·None
37 ······sysctl_net_ipv6_conf_default_accept_ra_value:·037 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
38 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·038 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
39 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·039 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
40 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·140 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
41 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·041 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
42 ······sysctl_net_ipv4_conf_default_rp_filter_value:·142 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
43 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·143 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
44 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·144 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
45 ······sysctl_net_ipv4_tcp_syncookies_value:·145 ······sysctl_net_ipv4_tcp_syncookies_value:·1
46 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·046 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
47 ······sysctl_net_ipv4_conf_all_log_martians_value:·047 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
48 ······sysctl_net_ipv4_conf_all_rp_filter_value:·148 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
49 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·149 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
50 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·050 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
51 ······var_selinux_policy_name:·targeted51 ······var_selinux_policy_name:·targeted
52 ······var_selinux_state:·enforcing52 ······var_selinux_state:·enforcing
53 ······var_accounts_password_minlen_login_defs:·1453 ······var_accounts_password_minlen_login_defs:·14
54 ······var_accounts_minimum_age_login_defs:·1 
55 ······var_accounts_maximum_age_login_defs:·180 
56 ······var_accounts_password_warn_age_login_defs:·754 ······var_accounts_password_warn_age_login_defs:·7
 55 ······var_accounts_maximum_age_login_defs:·180
 56 ······var_accounts_minimum_age_login_defs:·1
57 ······var_account_disable_post_pw_expiration:·3557 ······var_account_disable_post_pw_expiration:·35
58 ······var_password_pam_unix_remember:·1058 ······var_password_pam_unix_remember:·10
59 ······var_accounts_passwords_pam_faillock_deny:·359 ······var_accounts_passwords_pam_faillock_deny:·3
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_user_umask:·07763 ······var_accounts_user_umask:·077
64 ······var_accounts_max_concurrent_login_sessions:·364 ······var_accounts_max_concurrent_login_sessions:·3
65 ······var_removable_partition:·/dev/cdrom65 ······var_removable_partition:·/dev/cdrom
66 ······var_removable_partition:·/dev/cdrom66 ······var_removable_partition:·/dev/cdrom
67 ······var_removable_partition:·/dev/cdrom67 ······var_removable_partition:·/dev/cdrom
68 ···tasks:68 ···tasks:
69 ····-·name:·Disable·service·smb69 ····-·name:·Disable·service·vsftpd
70 ······service:70 ······service:
71 ········name="{{item}}"71 ········name="{{item}}"
72 ········enabled="no"72 ········enabled="no"
73 ········state="stopped"73 ········state="stopped"
74 ······register:·service_result74 ······register:·service_result
75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
76 ······with_items:76 ······with_items:
77 ········-·smb77 ········-·vsftpd
78 ······tags:78 ······tags:
79 ········-·service_smb_disabled79 ········-·service_vsftpd_disabled
80 ········-·unknown_severity80 ········-·unknown_severity
81 ········-·disable_strategy81 ········-·disable_strategy
82 ········-·low_complexity82 ········-·low_complexity
83 ········-·low_disruption83 ········-·low_disruption
84 ········-·CCE-27143-784 ········-·CCE-26948-0
85 ····85 ········-·NIST-800-53-CM-7
86 ····-·name:·Check·if·/etc/samba/smb.conf·exists 
87 ······stat: 
88 ········path:·/etc/samba/smb.conf 
89 ······register:·st_smb 
90 ······tags: 
91 ········-·require_smb_client_signing 
92 ········-·unknown_severity 
93 ········-·configure_strategy 
94 ········-·low_complexity 
95 ········-·medium_disruption 
96 ········-·CCE-26328-5 
97 ········-·DISA-STIG-RHEL-06-000272 
98 ····86 ····
99 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient87 ····-·name:·Ensure·vsftpd·is·removed
100 ······lineinfile:88 ······package:
101 ········dest:·/etc/samba/smb.conf89 ········name="{{item}}"
102 ········line:·client·signing·=·mandatory90 ········state=absent
103 ········state:·present91 ······with_items:
104 ········insertafter:·[global]92 ········-·vsftpd
105 ······when:·st_smb.stat.exists 
106 ······tags:93 ······tags:
107 ········-·require_smb_client_signing94 ········-·package_vsftpd_removed
108 ········-·unknown_severity95 ········-·unknown_severity
109 ········-·configure_strategy96 ········-·disable_strategy
110 ········-·low_complexity97 ········-·low_complexity
111 ········-·medium_disruption98 ········-·low_disruption
112 ········-·CCE-26328-599 ········-·CCE-26687-4
113 ········-·DISA-STIG-RHEL-06-000272100 ········-·NIST-800-53-CM-7
114 ····101 ····
115 ····-·name:·Ensure·httpd·is·removed102 ····-·name:·Ensure·httpd·is·removed
116 ······package:103 ······package:
117 ········name="{{item}}"104 ········name="{{item}}"
118 ········state=absent105 ········state=absent
119 ······with_items:106 ······with_items:
120 ········-·httpd107 ········-·httpd
Offset 153, 45 lines modifiedOffset 140, 92 lines modified
153 ········-·unknown_severity140 ········-·unknown_severity
154 ········-·configure_strategy141 ········-·configure_strategy
155 ········-·low_complexity142 ········-·low_complexity
156 ········-·low_disruption143 ········-·low_disruption
157 ········-·CCE-27316-9144 ········-·CCE-27316-9
158 ········-·NIST-800-53-CM-7145 ········-·NIST-800-53-CM-7
159 ····146 ····
160 ····-·name:·Ensure·sendmail·is·removed147 ····-·name:·Disable·service·named
 148 ······service:
 149 ········name="{{item}}"
 150 ········enabled="no"
 151 ········state="stopped"
 152 ······register:·service_result
 153 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 154 ······with_items:
 155 ········-·named
 156 ······tags:
 157 ········-·service_named_disabled
 158 ········-·unknown_severity
 159 ········-·disable_strategy
 160 ········-·low_complexity
 161 ········-·low_disruption
 162 ········-·CCE-26873-0
 163 ········-·NIST-800-53-CM-7
 164 ····
 165 ····-·name:·Ensure·bind·is·removed
161 ······package:166 ······package:
162 ········name="{{item}}"167 ········name="{{item}}"
163 ········state=absent168 ········state=absent
164 ······with_items:169 ······with_items:
165 ········-·sendmail170 ········-·bind
166 ······tags:171 ······tags:
167 ········-·package_sendmail_removed172 ········-·package_bind_removed
168 ········-·medium_severity173 ········-·unknown_severity
169 ········-·disable_strategy174 ········-·disable_strategy
170 ········-·low_complexity175 ········-·low_complexity
Max diff block lines reached; 175955/181073 bytes (97.17%) of diff not shown.
129 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-CSCF-RHEL6-MLS.yml
    
Offset 35, 39 lines modifiedOffset 35, 72 lines modified
35 ·······assert:35 ·······assert:
36 ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')"36 ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')"
37 ·········msg:·>37 ·········msg:·>
38 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."38 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
39 ··········39 ··········
40 ···vars:40 ···vars:
41 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·041 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
42 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·142 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
43 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_rp_filter_value:·144 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
45 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·145 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
46 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·146 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
47 ······sysctl_net_ipv4_tcp_syncookies_value:·147 ······sysctl_net_ipv4_tcp_syncookies_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·048 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_all_log_martians_value:·049 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
50 ······sysctl_net_ipv4_conf_all_rp_filter_value:·150 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
51 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·151 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
52 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·052 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
53 ······var_selinux_policy_name:·mls53 ······var_selinux_policy_name:·mls
54 ······var_selinux_state:·enforcing54 ······var_selinux_state:·enforcing
55 ······var_accounts_password_minlen_login_defs:·1255 ······var_accounts_password_minlen_login_defs:·12
56 ······var_accounts_maximum_age_login_defs:·180 
57 ······var_accounts_password_warn_age_login_defs:·756 ······var_accounts_password_warn_age_login_defs:·7
 57 ······var_accounts_maximum_age_login_defs:·180
58 ······var_account_disable_post_pw_expiration:·3558 ······var_account_disable_post_pw_expiration:·35
59 ······var_password_pam_unix_remember:·059 ······var_password_pam_unix_remember:·0
60 ······var_password_pam_retry:·360 ······var_password_pam_retry:·3
61 ······var_auditd_max_log_file:·161 ······var_auditd_max_log_file:·1
62 ······var_auditd_action_mail_acct:·admin62 ······var_auditd_action_mail_acct:·admin
63 ······var_auditd_space_left_action:·suspend 
64 ······var_auditd_admin_space_left_action:·suspend63 ······var_auditd_admin_space_left_action:·suspend
 64 ······var_auditd_space_left_action:·suspend
65 ······var_auditd_max_log_file_action:·keep_logs65 ······var_auditd_max_log_file_action:·keep_logs
66 ···tasks:66 ···tasks:
 67 ····-·name:·Disable·service·vsftpd
 68 ······service:
 69 ········name="{{item}}"
 70 ········enabled="no"
 71 ········state="stopped"
 72 ······register:·service_result
 73 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 74 ······with_items:
 75 ········-·vsftpd
 76 ······tags:
 77 ········-·service_vsftpd_disabled
 78 ········-·unknown_severity
 79 ········-·disable_strategy
 80 ········-·low_complexity
 81 ········-·low_disruption
 82 ········-·CCE-26948-0
 83 ········-·NIST-800-53-CM-7
 84 ····
 85 ····-·name:·Ensure·vsftpd·is·removed
 86 ······package:
 87 ········name="{{item}}"
 88 ········state=absent
 89 ······with_items:
 90 ········-·vsftpd
 91 ······tags:
 92 ········-·package_vsftpd_removed
 93 ········-·unknown_severity
 94 ········-·disable_strategy
 95 ········-·low_complexity
 96 ········-·low_disruption
 97 ········-·CCE-26687-4
 98 ········-·NIST-800-53-CM-7
 99 ····
67 ····100 ····
68 ····-·name:·Find·/etc/httpd/conf/*·file(s)101 ····-·name:·Find·/etc/httpd/conf/*·file(s)
69 ······find:102 ······find:
70 ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}"103 ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}"
71 ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}"104 ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}"
72 ······register:·files_found105 ······register:·files_found
73 ······tags:106 ······tags:
Offset 90, 98 lines modifiedOffset 123, 116 lines modified
90 ········-·unknown_severity123 ········-·unknown_severity
91 ········-·configure_strategy124 ········-·configure_strategy
92 ········-·low_complexity125 ········-·low_complexity
93 ········-·low_disruption126 ········-·low_disruption
94 ········-·CCE-27316-9127 ········-·CCE-27316-9
95 ········-·NIST-800-53-CM-7128 ········-·NIST-800-53-CM-7
96 ····129 ····
97 ····-·name:·Ensure·sendmail·is·removed130 ····-·name:·Disable·service·named
98 ······package:131 ······service:
99 ········name="{{item}}"132 ········name="{{item}}"
100 ········state=absent133 ········enabled="no"
 134 ········state="stopped"
 135 ······register:·service_result
 136 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
101 ······with_items:137 ······with_items:
102 ········-·sendmail138 ········-·named
103 ······tags:139 ······tags:
104 ········-·package_sendmail_removed140 ········-·service_named_disabled
105 ········-·medium_severity141 ········-·unknown_severity
106 ········-·disable_strategy142 ········-·disable_strategy
107 ········-·low_complexity143 ········-·low_complexity
108 ········-·low_disruption144 ········-·low_disruption
109 ········-·CCE-27515-6145 ········-·CCE-26873-0
110 ········-·NIST-800-53-CM-7146 ········-·NIST-800-53-CM-7
111 ········-·DISA-STIG-RHEL-06-000288 
112 ····147 ····
113 ····-·name:·Ensure·dhcp·is·removed148 ····-·name:·Ensure·bind·is·removed
114 ······package:149 ······package:
115 ········name="{{item}}"150 ········name="{{item}}"
116 ········state=absent151 ········state=absent
117 ······with_items:152 ······with_items:
118 ········-·dhcp153 ········-·bind
119 ······tags:154 ······tags:
120 ········-·package_dhcp_removed155 ········-·package_bind_removed
121 ········-·medium_severity156 ········-·unknown_severity
122 ········-·disable_strategy157 ········-·disable_strategy
123 ········-·low_complexity158 ········-·low_complexity
124 ········-·low_disruption159 ········-·low_disruption
125 ········-·CCE-27120-5160 ········-·CCE-27030-6
126 ········-·NIST-800-53-CM-7161 ········-·NIST-800-53-CM-7
127 ····162 ····
128 ····-·name:·Disable·service·dhcpd163 ····-·name:·Enable·service·ntpd
129 ······service:164 ······service:
130 ········name="{{item}}"165 ········name="{{item}}"
131 ········enabled="no"166 ········enabled="yes"
132 ········state="stopped"167 ········state="started"
133 ······register:·service_result 
134 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" 
135 ······with_items:168 ······with_items:
136 ········-·dhcpd169 ········-·ntpd
137 ······tags:170 ······tags:
138 ········-·service_dhcpd_disabled171 ········-·service_ntpd_enabled
Max diff block lines reached; 127041/131888 bytes (96.32%) of diff not shown.
129 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-desktop.yml
    
Offset 34, 87 lines modifiedOffset 34, 74 lines modified
34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
35 ··········35 ··········
36 ···vars:36 ···vars:
37 ······sshd_idle_timeout_value:·30037 ······sshd_idle_timeout_value:·300
38 ······rsyslog_remote_loghost_address:·None38 ······rsyslog_remote_loghost_address:·None
39 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·039 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
40 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·040 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
41 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·141 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
42 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·042 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
43 ······sysctl_net_ipv4_conf_default_rp_filter_value:·143 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
44 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·044 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
45 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
46 ······sysctl_net_ipv4_tcp_syncookies_value:·146 ······sysctl_net_ipv4_tcp_syncookies_value:·1
47 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·047 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
48 ······sysctl_net_ipv4_conf_all_log_martians_value:·148 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
49 ······sysctl_net_ipv4_conf_all_rp_filter_value:·149 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
50 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·150 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
51 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·051 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
52 ······var_selinux_policy_name:·targeted52 ······var_selinux_policy_name:·targeted
53 ······var_selinux_state:·enforcing53 ······var_selinux_state:·enforcing
54 ······var_accounts_password_minlen_login_defs:·1554 ······var_accounts_password_minlen_login_defs:·15
55 ······var_accounts_minimum_age_login_defs:·7 
56 ······var_accounts_maximum_age_login_defs:·90 
57 ······var_accounts_password_warn_age_login_defs:·755 ······var_accounts_password_warn_age_login_defs:·7
 56 ······var_accounts_maximum_age_login_defs:·90
 57 ······var_accounts_minimum_age_login_defs:·7
58 ······var_password_pam_unix_remember:·558 ······var_password_pam_unix_remember:·5
59 ······var_accounts_passwords_pam_faillock_deny:·359 ······var_accounts_passwords_pam_faillock_deny:·3
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_tmout:·60063 ······var_accounts_tmout:·600
 64 ······var_removable_partition:·/dev/cdrom
64 ······var_auditd_max_log_file:·665 ······var_auditd_max_log_file:·6
65 ······var_auditd_admin_space_left_action:·single66 ······var_auditd_admin_space_left_action:·single
66 ······var_auditd_max_log_file_action:·rotate67 ······var_auditd_max_log_file_action:·rotate
67 ······var_removable_partition:·/dev/cdrom 
68 ···tasks:68 ···tasks:
69 ····-·name:·Disable·service·smb69 ····-·name:·Disable·service·vsftpd
70 ······service:70 ······service:
71 ········name="{{item}}"71 ········name="{{item}}"
72 ········enabled="no"72 ········enabled="no"
73 ········state="stopped"73 ········state="stopped"
74 ······register:·service_result74 ······register:·service_result
75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
76 ······with_items:76 ······with_items:
77 ········-·smb77 ········-·vsftpd
78 ······tags:78 ······tags:
79 ········-·service_smb_disabled79 ········-·service_vsftpd_disabled
80 ········-·unknown_severity80 ········-·unknown_severity
81 ········-·disable_strategy81 ········-·disable_strategy
82 ········-·low_complexity82 ········-·low_complexity
83 ········-·low_disruption83 ········-·low_disruption
84 ········-·CCE-27143-784 ········-·CCE-26948-0
85 ····85 ········-·NIST-800-53-CM-7
86 ····-·name:·Check·if·/etc/samba/smb.conf·exists 
87 ······stat: 
88 ········path:·/etc/samba/smb.conf 
89 ······register:·st_smb 
90 ······tags: 
91 ········-·require_smb_client_signing 
92 ········-·unknown_severity 
93 ········-·configure_strategy 
94 ········-·low_complexity 
95 ········-·medium_disruption 
96 ········-·CCE-26328-5 
97 ········-·DISA-STIG-RHEL-06-000272 
98 ····86 ····
99 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient87 ····-·name:·Ensure·vsftpd·is·removed
100 ······lineinfile:88 ······package:
101 ········dest:·/etc/samba/smb.conf89 ········name="{{item}}"
102 ········line:·client·signing·=·mandatory90 ········state=absent
103 ········state:·present91 ······with_items:
104 ········insertafter:·[global]92 ········-·vsftpd
105 ······when:·st_smb.stat.exists 
106 ······tags:93 ······tags:
107 ········-·require_smb_client_signing94 ········-·package_vsftpd_removed
108 ········-·unknown_severity95 ········-·unknown_severity
109 ········-·configure_strategy96 ········-·disable_strategy
110 ········-·low_complexity97 ········-·low_complexity
111 ········-·medium_disruption98 ········-·low_disruption
112 ········-·CCE-26328-599 ········-·CCE-26687-4
113 ········-·DISA-STIG-RHEL-06-000272100 ········-·NIST-800-53-CM-7
114 ····101 ····
115 ····-·name:·Disable·service·httpd102 ····-·name:·Disable·service·httpd
116 ······service:103 ······service:
117 ········name="{{item}}"104 ········name="{{item}}"
118 ········enabled="no"105 ········enabled="no"
119 ········state="stopped"106 ········state="stopped"
120 ······register:·service_result107 ······register:·service_result
Offset 141, 46 lines modifiedOffset 128, 92 lines modified
141 ········-·unknown_severity128 ········-·unknown_severity
142 ········-·disable_strategy129 ········-·disable_strategy
143 ········-·low_complexity130 ········-·low_complexity
144 ········-·low_disruption131 ········-·low_disruption
145 ········-·CCE-27133-8132 ········-·CCE-27133-8
146 ········-·NIST-800-53-CM-7133 ········-·NIST-800-53-CM-7
147 ····134 ····
148 ····-·name:·Ensure·dhcp·is·removed135 ····-·name:·Disable·service·named
 136 ······service:
 137 ········name="{{item}}"
 138 ········enabled="no"
 139 ········state="stopped"
 140 ······register:·service_result
 141 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 142 ······with_items:
 143 ········-·named
 144 ······tags:
 145 ········-·service_named_disabled
 146 ········-·unknown_severity
 147 ········-·disable_strategy
 148 ········-·low_complexity
 149 ········-·low_disruption
 150 ········-·CCE-26873-0
 151 ········-·NIST-800-53-CM-7
 152 ····
 153 ····-·name:·Ensure·bind·is·removed
149 ······package:154 ······package:
150 ········name="{{item}}"155 ········name="{{item}}"
151 ········state=absent156 ········state=absent
152 ······with_items:157 ······with_items:
153 ········-·dhcp158 ········-·bind
154 ······tags:159 ······tags:
155 ········-·package_dhcp_removed160 ········-·package_bind_removed
156 ········-·medium_severity161 ········-·unknown_severity
157 ········-·disable_strategy162 ········-·disable_strategy
158 ········-·low_complexity163 ········-·low_complexity
Max diff block lines reached; 126640/131720 bytes (96.14%) of diff not shown.
147 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-fisma-medium-rhel6-server.yml
    
Offset 32, 46 lines modifiedOffset 32, 46 lines modified
32 ·········msg:·>32 ·········msg:·>
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······sysctl_net_ipv6_conf_default_accept_ra_value:·036 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
37 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·037 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
38 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·038 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
39 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·139 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
40 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·040 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
41 ······sysctl_net_ipv4_conf_default_rp_filter_value:·141 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
42 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·142 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
43 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·143 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
44 ······sysctl_net_ipv4_tcp_syncookies_value:·144 ······sysctl_net_ipv4_tcp_syncookies_value:·1
45 ······sysctl_net_ipv4_conf_all_log_martians_value:·045 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
46 ······sysctl_net_ipv4_conf_all_rp_filter_value:·146 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
47 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·147 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·048 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
49 ······var_selinux_policy_name:·targeted49 ······var_selinux_policy_name:·targeted
50 ······var_selinux_state:·enforcing50 ······var_selinux_state:·enforcing
51 ······var_accounts_password_minlen_login_defs:·1251 ······var_accounts_password_minlen_login_defs:·12
52 ······var_accounts_minimum_age_login_defs:·1 
53 ······var_accounts_maximum_age_login_defs:·120 
54 ······var_accounts_password_warn_age_login_defs:·752 ······var_accounts_password_warn_age_login_defs:·7
 53 ······var_accounts_maximum_age_login_defs:·120
 54 ······var_accounts_minimum_age_login_defs:·1
55 ······var_account_disable_post_pw_expiration:·9055 ······var_account_disable_post_pw_expiration:·90
56 ······var_password_pam_unix_remember:·2456 ······var_password_pam_unix_remember:·24
57 ······var_accounts_passwords_pam_faillock_deny:·357 ······var_accounts_passwords_pam_faillock_deny:·3
58 ······var_accounts_passwords_pam_faillock_unlock_time:·60480058 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
59 ······var_accounts_passwords_pam_faillock_fail_interval:·90059 ······var_accounts_passwords_pam_faillock_fail_interval:·900
60 ······var_password_pam_maxrepeat:·360 ······var_password_pam_maxrepeat:·3
61 ······var_password_pam_retry:·361 ······var_password_pam_retry:·3
62 ······var_accounts_max_concurrent_login_sessions:·162 ······var_accounts_max_concurrent_login_sessions:·1
 63 ······var_removable_partition:·/dev/cdrom
 64 ······var_removable_partition:·/dev/cdrom
 65 ······var_removable_partition:·/dev/cdrom
63 ······var_auditd_max_log_file:·166 ······var_auditd_max_log_file:·1
64 ······var_auditd_action_mail_acct:·admin67 ······var_auditd_action_mail_acct:·admin
65 ······var_auditd_space_left_action:·suspend 
66 ······var_auditd_admin_space_left_action:·halt68 ······var_auditd_admin_space_left_action:·halt
 69 ······var_auditd_space_left_action:·suspend
67 ······var_auditd_max_log_file_action:·ignore70 ······var_auditd_max_log_file_action:·ignore
68 ······var_removable_partition:·/dev/cdrom 
69 ······var_removable_partition:·/dev/cdrom 
70 ······var_removable_partition:·/dev/cdrom 
71 ···tasks:71 ···tasks:
72 ····-·name:·Enable·service·ntpd72 ····-·name:·Enable·service·ntpd
73 ······service:73 ······service:
74 ········name="{{item}}"74 ········name="{{item}}"
75 ········enabled="yes"75 ········enabled="yes"
76 ········state="started"76 ········state="started"
77 ······with_items:77 ······with_items:
Offset 83, 14 lines modifiedOffset 83, 50 lines modified
83 ········-·low_complexity83 ········-·low_complexity
84 ········-·low_disruption84 ········-·low_disruption
85 ········-·CCE-27093-485 ········-·CCE-27093-4
86 ········-·NIST-800-53-AU-8(1)86 ········-·NIST-800-53-AU-8(1)
87 ········-·PCI-DSS-Req-10.487 ········-·PCI-DSS-Req-10.4
88 ········-·DISA-STIG-RHEL-06-00024788 ········-·DISA-STIG-RHEL-06-000247
89 ····89 ····
 90 ····-·name:·Enable·service·crond
 91 ······service:
 92 ········name="{{item}}"
 93 ········enabled="yes"
 94 ········state="started"
 95 ······with_items:
 96 ········-·crond
 97 ······tags:
 98 ········-·service_crond_enabled
 99 ········-·medium_severity
 100 ········-·enable_strategy
 101 ········-·low_complexity
 102 ········-·low_disruption
 103 ········-·CCE-27070-2
 104 ········-·NIST-800-53-CM-7
 105 ········-·DISA-STIG-RHEL-06-000224
 106 ····
 107 ····-·name:·Disable·service·atd
 108 ······service:
 109 ········name="{{item}}"
 110 ········enabled="no"
 111 ········state="stopped"
 112 ······register:·service_result
 113 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 114 ······with_items:
 115 ········-·atd
 116 ······tags:
 117 ········-·service_atd_disabled
 118 ········-·unknown_severity
 119 ········-·disable_strategy
 120 ········-·low_complexity
 121 ········-·low_disruption
 122 ········-·CCE-27249-2
 123 ········-·NIST-800-53-CM-7
 124 ········-·DISA-STIG-RHEL-06-000262
 125 ····
90 ····-·name:·Ensure·rsh·is·removed126 ····-·name:·Ensure·rsh·is·removed
91 ······package:127 ······package:
92 ········name="{{item}}"128 ········name="{{item}}"
93 ········state=absent129 ········state=absent
94 ······with_items:130 ······with_items:
95 ········-·rsh131 ········-·rsh
96 ······tags:132 ······tags:
Offset 243, 50 lines modifiedOffset 279, 14 lines modified
243 ········-·disable_strategy279 ········-·disable_strategy
244 ········-·low_complexity280 ········-·low_complexity
245 ········-·low_disruption281 ········-·low_disruption
246 ········-·CCE-27005-8282 ········-·CCE-27005-8
247 ········-·NIST-800-53-CM-7283 ········-·NIST-800-53-CM-7
248 ········-·DISA-STIG-RHEL-06-000204284 ········-·DISA-STIG-RHEL-06-000204
249 ····285 ····
250 ····-·name:·Enable·service·crond 
251 ······service: 
252 ········name="{{item}}" 
253 ········enabled="yes" 
254 ········state="started" 
255 ······with_items: 
256 ········-·crond 
257 ······tags: 
258 ········-·service_crond_enabled 
259 ········-·medium_severity 
260 ········-·enable_strategy 
261 ········-·low_complexity 
262 ········-·low_disruption 
263 ········-·CCE-27070-2 
264 ········-·NIST-800-53-CM-7 
265 ········-·DISA-STIG-RHEL-06-000224 
Max diff block lines reached; 145514/150564 bytes (96.65%) of diff not shown.
117 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-ftp-server.yml
    
Offset 33, 42 lines modifiedOffset 33, 57 lines modified
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······sshd_idle_timeout_value:·30036 ······sshd_idle_timeout_value:·300
37 ······rsyslog_remote_loghost_address:·None37 ······rsyslog_remote_loghost_address:·None
38 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·038 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
39 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·039 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
40 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·140 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
41 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·041 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
42 ······sysctl_net_ipv4_conf_default_rp_filter_value:·142 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
43 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·043 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·044 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
45 ······sysctl_net_ipv4_tcp_syncookies_value:·145 ······sysctl_net_ipv4_tcp_syncookies_value:·1
46 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·046 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
47 ······sysctl_net_ipv4_conf_all_log_martians_value:·147 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
48 ······sysctl_net_ipv4_conf_all_rp_filter_value:·148 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
49 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·149 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
50 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·050 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
51 ······var_selinux_policy_name:·targeted51 ······var_selinux_policy_name:·targeted
52 ······var_selinux_state:·enforcing52 ······var_selinux_state:·enforcing
53 ······var_accounts_password_minlen_login_defs:·1553 ······var_accounts_password_minlen_login_defs:·15
54 ······var_accounts_minimum_age_login_defs:·7 
55 ······var_accounts_maximum_age_login_defs:·90 
56 ······var_accounts_password_warn_age_login_defs:·754 ······var_accounts_password_warn_age_login_defs:·7
 55 ······var_accounts_maximum_age_login_defs:·90
 56 ······var_accounts_minimum_age_login_defs:·7
57 ······var_password_pam_unix_remember:·557 ······var_password_pam_unix_remember:·5
58 ······var_accounts_passwords_pam_faillock_deny:·358 ······var_accounts_passwords_pam_faillock_deny:·3
59 ······var_accounts_passwords_pam_faillock_unlock_time:·60480059 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
60 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000060 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
61 ······var_password_pam_retry:·361 ······var_password_pam_retry:·3
62 ······var_accounts_tmout:·60062 ······var_accounts_tmout:·600
 63 ······var_removable_partition:·/dev/cdrom
63 ······var_auditd_max_log_file:·664 ······var_auditd_max_log_file:·6
64 ······var_auditd_admin_space_left_action:·single65 ······var_auditd_admin_space_left_action:·single
65 ······var_auditd_max_log_file_action:·rotate66 ······var_auditd_max_log_file_action:·rotate
66 ······var_removable_partition:·/dev/cdrom 
67 ···tasks:67 ···tasks:
 68 ····-·name:·Ensure·vsftpd·is·installed
 69 ······package:
 70 ········name="{{item}}"
 71 ········state=present
 72 ······with_items:
 73 ········-·vsftpd
 74 ······tags:
 75 ········-·package_vsftpd_installed
 76 ········-·unknown_severity
 77 ········-·enable_strategy
 78 ········-·low_complexity
 79 ········-·low_disruption
 80 ········-·CCE-27187-4
 81 ········-·NIST-800-53-CM-7
 82 ····
68 ····-·name:·Check·if·/etc/samba/smb.conf·exists83 ····-·name:·Check·if·/etc/samba/smb.conf·exists
69 ······stat:84 ······stat:
70 ········path:·/etc/samba/smb.conf85 ········path:·/etc/samba/smb.conf
71 ······register:·st_smb86 ······register:·st_smb
72 ······tags:87 ······tags:
73 ········-·require_smb_client_signing88 ········-·require_smb_client_signing
74 ········-·unknown_severity89 ········-·unknown_severity
Offset 108, 14 lines modifiedOffset 123, 81 lines modified
108 ········-·low_complexity123 ········-·low_complexity
109 ········-·low_disruption124 ········-·low_disruption
110 ········-·CCE-27093-4125 ········-·CCE-27093-4
111 ········-·NIST-800-53-AU-8(1)126 ········-·NIST-800-53-AU-8(1)
112 ········-·PCI-DSS-Req-10.4127 ········-·PCI-DSS-Req-10.4
113 ········-·DISA-STIG-RHEL-06-000247128 ········-·DISA-STIG-RHEL-06-000247
114 ····129 ····
 130 ····-·name:·Ensure·openldap-servers·is·removed
 131 ······package:
 132 ········name="{{item}}"
 133 ········state=absent
 134 ······with_items:
 135 ········-·openldap-servers
 136 ······tags:
 137 ········-·package_openldap-servers_removed
 138 ········-·unknown_severity
 139 ········-·disable_strategy
 140 ········-·low_complexity
 141 ········-·low_disruption
 142 ········-·CCE-26858-1
 143 ········-·NIST-800-53-CM-7
 144 ········-·DISA-STIG-RHEL-06-000256
 145 ····
 146 ····-·name:·Enable·service·crond
 147 ······service:
 148 ········name="{{item}}"
 149 ········enabled="yes"
 150 ········state="started"
 151 ······with_items:
 152 ········-·crond
 153 ······tags:
 154 ········-·service_crond_enabled
 155 ········-·medium_severity
 156 ········-·enable_strategy
 157 ········-·low_complexity
 158 ········-·low_disruption
 159 ········-·CCE-27070-2
 160 ········-·NIST-800-53-CM-7
 161 ········-·DISA-STIG-RHEL-06-000224
 162 ····
 163 ····-·name:·Disable·service·atd
 164 ······service:
 165 ········name="{{item}}"
 166 ········enabled="no"
 167 ········state="stopped"
 168 ······register:·service_result
 169 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 170 ······with_items:
 171 ········-·atd
 172 ······tags:
 173 ········-·service_atd_disabled
 174 ········-·unknown_severity
 175 ········-·disable_strategy
 176 ········-·low_complexity
 177 ········-·low_disruption
 178 ········-·CCE-27249-2
 179 ········-·NIST-800-53-CM-7
 180 ········-·DISA-STIG-RHEL-06-000262
 181 ····
 182 ····-·name:·Ensure·xorg-x11-server-common·is·removed
 183 ······package:
 184 ········name="{{item}}"
 185 ········state=absent
 186 ······with_items:
 187 ········-·xorg-x11-server-common
 188 ······tags:
Max diff block lines reached; 114906/119566 bytes (96.10%) of diff not shown.
171 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-nist-CL-IL-AL.yml
    
Offset 38, 75 lines modifiedOffset 38, 61 lines modified
38 ··········38 ··········
39 ···vars:39 ···vars:
40 ······sshd_idle_timeout_value:·30040 ······sshd_idle_timeout_value:·300
41 ······rsyslog_remote_loghost_address:·None41 ······rsyslog_remote_loghost_address:·None
42 ······sysctl_net_ipv6_conf_default_accept_ra_value:·042 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
43 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·044 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
45 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·145 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
46 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·046 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
47 ······sysctl_net_ipv4_conf_default_rp_filter_value:·147 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
48 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·148 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
49 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·149 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
50 ······sysctl_net_ipv4_tcp_syncookies_value:·150 ······sysctl_net_ipv4_tcp_syncookies_value:·1
51 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·051 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
52 ······sysctl_net_ipv4_conf_all_log_martians_value:·152 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
53 ······sysctl_net_ipv4_conf_all_rp_filter_value:·153 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
54 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·154 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
55 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·055 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
56 ······var_selinux_policy_name:·targeted56 ······var_selinux_policy_name:·targeted
57 ······var_selinux_state:·enforcing57 ······var_selinux_state:·enforcing
58 ······var_accounts_password_minlen_login_defs:·1558 ······var_accounts_password_minlen_login_defs:·15
59 ······var_accounts_minimum_age_login_defs:·7 
60 ······var_accounts_maximum_age_login_defs:·90 
61 ······var_accounts_password_warn_age_login_defs:·759 ······var_accounts_password_warn_age_login_defs:·7
 60 ······var_accounts_maximum_age_login_defs:·90
 61 ······var_accounts_minimum_age_login_defs:·7
62 ······var_account_disable_post_pw_expiration:·4062 ······var_account_disable_post_pw_expiration:·40
63 ······var_password_pam_unix_remember:·563 ······var_password_pam_unix_remember:·5
64 ······var_accounts_passwords_pam_faillock_deny:·364 ······var_accounts_passwords_pam_faillock_deny:·3
65 ······var_accounts_passwords_pam_faillock_unlock_time:·90065 ······var_accounts_passwords_pam_faillock_unlock_time:·900
66 ······var_accounts_passwords_pam_faillock_fail_interval:·90066 ······var_accounts_passwords_pam_faillock_fail_interval:·900
67 ······var_password_pam_retry:·367 ······var_password_pam_retry:·3
68 ······var_accounts_tmout:·60068 ······var_accounts_tmout:·600
 69 ······var_removable_partition:·/dev/cdrom
 70 ······var_removable_partition:·/dev/cdrom
 71 ······var_removable_partition:·/dev/cdrom
69 ······var_auditd_max_log_file:·672 ······var_auditd_max_log_file:·6
70 ······var_auditd_action_mail_acct:·admin73 ······var_auditd_action_mail_acct:·admin
71 ······var_auditd_space_left_action:·suspend 
72 ······var_auditd_admin_space_left_action:·single74 ······var_auditd_admin_space_left_action:·single
 75 ······var_auditd_space_left_action:·suspend
73 ······var_auditd_max_log_file_action:·rotate76 ······var_auditd_max_log_file_action:·rotate
74 ······var_removable_partition:·/dev/cdrom 
75 ······var_removable_partition:·/dev/cdrom 
76 ······var_removable_partition:·/dev/cdrom 
77 ···tasks:77 ···tasks:
78 ····-·name:·Check·if·/etc/samba/smb.conf·exists78 ····-·name:·Ensure·vsftpd·is·removed
79 ······stat:79 ······package:
80 ········path:·/etc/samba/smb.conf80 ········name="{{item}}"
81 ······register:·st_smb81 ········state=absent
82 ······tags:82 ······with_items:
83 ········-·require_smb_client_signing83 ········-·vsftpd
84 ········-·unknown_severity 
85 ········-·configure_strategy 
86 ········-·low_complexity 
87 ········-·medium_disruption 
88 ········-·CCE-26328-5 
89 ········-·DISA-STIG-RHEL-06-000272 
90 ···· 
91 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient 
92 ······lineinfile: 
93 ········dest:·/etc/samba/smb.conf 
94 ········line:·client·signing·=·mandatory 
95 ········state:·present 
96 ········insertafter:·[global] 
97 ······when:·st_smb.stat.exists 
98 ······tags:84 ······tags:
99 ········-·require_smb_client_signing85 ········-·package_vsftpd_removed
100 ········-·unknown_severity86 ········-·unknown_severity
101 ········-·configure_strategy87 ········-·disable_strategy
102 ········-·low_complexity88 ········-·low_complexity
103 ········-·medium_disruption89 ········-·low_disruption
104 ········-·CCE-26328-590 ········-·CCE-26687-4
105 ········-·DISA-STIG-RHEL-06-00027291 ········-·NIST-800-53-CM-7
106 ····92 ····
107 ····-·name:·Disable·service·httpd93 ····-·name:·Disable·service·httpd
108 ······service:94 ······service:
109 ········name="{{item}}"95 ········name="{{item}}"
110 ········enabled="no"96 ········enabled="no"
111 ········state="stopped"97 ········state="stopped"
112 ······register:·service_result98 ······register:·service_result
Offset 133, 62 lines modifiedOffset 119, 75 lines modified
133 ········-·unknown_severity119 ········-·unknown_severity
134 ········-·disable_strategy120 ········-·disable_strategy
135 ········-·low_complexity121 ········-·low_complexity
136 ········-·low_disruption122 ········-·low_disruption
137 ········-·CCE-27133-8123 ········-·CCE-27133-8
138 ········-·NIST-800-53-CM-7124 ········-·NIST-800-53-CM-7
139 ····125 ····
140 ····-·name:·Ensure·sendmail·is·removed126 ····-·name:·Disable·service·named
141 ······package:127 ······service:
142 ········name="{{item}}"128 ········name="{{item}}"
143 ········state=absent129 ········enabled="no"
 130 ········state="stopped"
 131 ······register:·service_result
 132 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
144 ······with_items:133 ······with_items:
145 ········-·sendmail134 ········-·named
146 ······tags:135 ······tags:
147 ········-·package_sendmail_removed136 ········-·service_named_disabled
148 ········-·medium_severity137 ········-·unknown_severity
149 ········-·disable_strategy138 ········-·disable_strategy
150 ········-·low_complexity139 ········-·low_complexity
151 ········-·low_disruption140 ········-·low_disruption
152 ········-·CCE-27515-6141 ········-·CCE-26873-0
153 ········-·NIST-800-53-CM-7142 ········-·NIST-800-53-CM-7
154 ········-·DISA-STIG-RHEL-06-000288 
155 ····143 ····
156 ····-·name:·Ensure·dhcp·is·removed144 ····-·name:·Ensure·bind·is·removed
157 ······package:145 ······package:
158 ········name="{{item}}"146 ········name="{{item}}"
159 ········state=absent147 ········state=absent
160 ······with_items:148 ······with_items:
161 ········-·dhcp149 ········-·bind
162 ······tags:150 ······tags:
163 ········-·package_dhcp_removed151 ········-·package_bind_removed
164 ········-·medium_severity152 ········-·unknown_severity
165 ········-·disable_strategy153 ········-·disable_strategy
166 ········-·low_complexity154 ········-·low_complexity
167 ········-·low_disruption155 ········-·low_disruption
168 ········-·CCE-27120-5156 ········-·CCE-27030-6
169 ········-·NIST-800-53-CM-7157 ········-·NIST-800-53-CM-7
170 ····158 ····
171 ····-·name:·Disable·service·dhcpd159 ····-·name:·Check·if·/etc/samba/smb.conf·exists
172 ······service:160 ······stat:
173 ········name="{{item}}"161 ········path:·/etc/samba/smb.conf
174 ········enabled="no"162 ······register:·st_smb
Max diff block lines reached; 169386/174902 bytes (96.85%) of diff not shown.
89.4 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-pci-dss.yml
    
Offset 39, 16 lines modifiedOffset 39, 16 lines modified
39 ······var_password_pam_unix_remember:·439 ······var_password_pam_unix_remember:·4
40 ······var_accounts_passwords_pam_faillock_deny:·640 ······var_accounts_passwords_pam_faillock_deny:·6
41 ······var_accounts_passwords_pam_faillock_unlock_time:·180041 ······var_accounts_passwords_pam_faillock_unlock_time:·1800
42 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000042 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
43 ······var_password_pam_minlen:·743 ······var_password_pam_minlen:·7
44 ······var_auditd_max_log_file:·144 ······var_auditd_max_log_file:·1
45 ······var_auditd_action_mail_acct:·admin45 ······var_auditd_action_mail_acct:·admin
46 ······var_auditd_space_left_action:·suspend 
47 ······var_auditd_admin_space_left_action:·suspend46 ······var_auditd_admin_space_left_action:·suspend
 47 ······var_auditd_space_left_action:·suspend
48 ······var_auditd_max_log_file_action:·ignore48 ······var_auditd_max_log_file_action:·ignore
49 ···tasks:49 ···tasks:
50 ····-·name:·Enable·service·ntpd50 ····-·name:·Enable·service·ntpd
51 ······service:51 ······service:
52 ········name="{{item}}"52 ········name="{{item}}"
53 ········enabled="yes"53 ········enabled="yes"
54 ········state="started"54 ········state="started"
Offset 83, 439 lines modifiedOffset 83, 14 lines modified
83 ········-·low_disruption83 ········-·low_disruption
84 ········-·CCE-26919-184 ········-·CCE-26919-1
85 ········-·NIST-800-53-AC-2(5)85 ········-·NIST-800-53-AC-2(5)
86 ········-·NIST-800-53-SA-886 ········-·NIST-800-53-SA-8
87 ········-·PCI-DSS-Req-8.1.887 ········-·PCI-DSS-Req-8.1.8
88 ········-·DISA-STIG-RHEL-06-00023088 ········-·DISA-STIG-RHEL-06-000230
89 ····89 ····
90 ····-·name:·"Read·list·of·files·with·incorrect·permissions" 
91 ······shell:·"rpm·-Va·|·grep·'^.M'·|·cut·-d·'·'·-f5-·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" 
92 ······register:·files_with_incorrect_permissions 
93 ······failed_when:·False 
94 ······changed_when:·False 
95 ······check_mode:·no 
96 ······tags: 
97 ········-·rpm_verify_permissions 
98 ········-·unknown_severity 
99 ········-·restrict_strategy 
100 ········-·high_complexity 
101 ········-·medium_disruption 
102 ········-·CCE-26731-0 
103 ········-·NIST-800-53-AC-6 
104 ········-·NIST-800-53-CM-6(d) 
105 ········-·NIST-800-53-SI-7 
106 ········-·PCI-DSS-Req-11.5 
107 ········-·DISA-STIG-RHEL-06-000518 
108 ···· 
109 ····-·name:·"Correct·file·permissions·with·RPM" 
110 ······shell:·"rpm·--setperms·$(rpm·-qf·'{{item}}')" 
111 ······with_items:·"{{·files_with_incorrect_permissions.stdout_lines·}}" 
112 ······when:·files_with_incorrect_permissions.stdout_lines·|·length·>·0 
113 ······tags: 
114 ········-·rpm_verify_permissions 
115 ········-·unknown_severity 
116 ········-·restrict_strategy 
117 ········-·high_complexity 
118 ········-·medium_disruption 
119 ········-·CCE-26731-0 
120 ········-·NIST-800-53-AC-6 
121 ········-·NIST-800-53-CM-6(d) 
122 ········-·NIST-800-53-SI-7 
123 ········-·PCI-DSS-Req-11.5 
124 ········-·DISA-STIG-RHEL-06-000518 
125 ···· 
126 ····-·name:·"Set·fact:·Package·manager·reinstall·command·(dnf)" 
127 ······set_fact: 
128 ········package_manager_reinstall_cmd:·dnf·reinstall·-y 
129 ······when:·ansible_distribution·==·"Fedora" 
130 ······tags: 
131 ········-·rpm_verify_hashes 
132 ········-·unknown_severity 
133 ········-·unknown_strategy 
134 ········-·high_complexity 
135 ········-·medium_disruption 
136 ········-·CCE-27223-7 
137 ········-·NIST-800-53-CM-6(d) 
138 ········-·NIST-800-53-SI-7 
139 ········-·PCI-DSS-Req-11.5 
140 ········-·DISA-STIG-RHEL-06-000519 
141 ···· 
142 ····-·name:·"Set·fact:·Package·manager·reinstall·command·(yum)" 
143 ······set_fact: 
144 ········package_manager_reinstall_cmd:·yum·reinstall·-y 
145 ······when:·ansible_distribution·==·"RedHat"·or·ansible_distribution·==·"OracleLinux" 
146 ······tags: 
147 ········-·rpm_verify_hashes 
148 ········-·unknown_severity 
149 ········-·unknown_strategy 
150 ········-·high_complexity 
151 ········-·medium_disruption 
152 ········-·CCE-27223-7 
153 ········-·NIST-800-53-CM-6(d) 
154 ········-·NIST-800-53-SI-7 
155 ········-·PCI-DSS-Req-11.5 
156 ········-·DISA-STIG-RHEL-06-000519 
157 ···· 
158 ····-·name:·"Read·files·with·incorrect·hash" 
159 ······shell:·"rpm·-Va·|·grep·-E·'^..5.*·/(bin|sbin|lib|lib64|usr)/'·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" 
160 ······register:·files_with_incorrect_hash 
161 ······changed_when:·False 
162 ······when:·package_manager_reinstall_cmd·is·defined 
163 ······check_mode:·no 
164 ······tags: 
165 ········-·rpm_verify_hashes 
166 ········-·unknown_severity 
167 ········-·unknown_strategy 
168 ········-·high_complexity 
169 ········-·medium_disruption 
170 ········-·CCE-27223-7 
171 ········-·NIST-800-53-CM-6(d) 
172 ········-·NIST-800-53-SI-7 
173 ········-·PCI-DSS-Req-11.5 
174 ········-·DISA-STIG-RHEL-06-000519 
175 ···· 
176 ····-·name:·"Reinstall·packages·of·files·with·incorrect·hash" 
177 ······shell:·"{{package_manager_reinstall_cmd}}·$(rpm·-qf·'{{item}}')" 
178 ······with_items:·"{{·files_with_incorrect_hash.stdout_lines·}}" 
179 ······when:·package_manager_reinstall_cmd·is·defined·and·(files_with_incorrect_hash.stdout_lines·|·length·>·0) 
180 ······tags: 
181 ········-·rpm_verify_hashes 
182 ········-·unknown_severity 
183 ········-·unknown_strategy 
184 ········-·high_complexity 
185 ········-·medium_disruption 
186 ········-·CCE-27223-7 
187 ········-·NIST-800-53-CM-6(d) 
188 ········-·NIST-800-53-SI-7 
189 ········-·PCI-DSS-Req-11.5 
190 ········-·DISA-STIG-RHEL-06-000519 
191 ···· 
Max diff block lines reached; 77885/91457 bytes (85.16%) of diff not shown.
26.4 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-rht-ccp.yml
    
Offset 33, 23 lines modifiedOffset 33, 42 lines modified
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······sshd_idle_timeout_value:·30036 ······sshd_idle_timeout_value:·300
37 ······var_selinux_policy_name:·targeted37 ······var_selinux_policy_name:·targeted
38 ······var_selinux_state:·enforcing38 ······var_selinux_state:·enforcing
39 ······var_accounts_password_minlen_login_defs:·639 ······var_accounts_password_minlen_login_defs:·6
40 ······var_accounts_minimum_age_login_defs:·7 
41 ······var_accounts_maximum_age_login_defs:·120 
42 ······var_accounts_password_warn_age_login_defs:·740 ······var_accounts_password_warn_age_login_defs:·7
 41 ······var_accounts_maximum_age_login_defs:·120
 42 ······var_accounts_minimum_age_login_defs:·7
43 ······var_password_pam_unix_remember:·543 ······var_password_pam_unix_remember:·5
44 ······var_accounts_passwords_pam_faillock_deny:·544 ······var_accounts_passwords_pam_faillock_deny:·5
45 ······var_accounts_passwords_pam_faillock_unlock_time:·60480045 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
46 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000046 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
47 ······var_password_pam_retry:·347 ······var_password_pam_retry:·3
48 ···tasks:48 ···tasks:
 49 ····-·name:·Disable·service·atd
 50 ······service:
 51 ········name="{{item}}"
 52 ········enabled="no"
 53 ········state="stopped"
 54 ······register:·service_result
 55 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 56 ······with_items:
 57 ········-·atd
 58 ······tags:
 59 ········-·service_atd_disabled
 60 ········-·unknown_severity
 61 ········-·disable_strategy
 62 ········-·low_complexity
 63 ········-·low_disruption
 64 ········-·CCE-27249-2
 65 ········-·NIST-800-53-CM-7
 66 ········-·DISA-STIG-RHEL-06-000262
 67 ····
49 ····-·name:·Ensure·rsh-server·is·removed68 ····-·name:·Ensure·rsh-server·is·removed
50 ······package:69 ······package:
51 ········name="{{item}}"70 ········name="{{item}}"
52 ········state=absent71 ········state=absent
53 ······with_items:72 ······with_items:
54 ········-·rsh-server73 ········-·rsh-server
55 ······tags:74 ······tags:
Offset 179, 33 lines modifiedOffset 198, 14 lines modified
179 ········-·disable_strategy198 ········-·disable_strategy
180 ········-·low_complexity199 ········-·low_complexity
181 ········-·low_disruption200 ········-·low_disruption
182 ········-·CCE-27005-8201 ········-·CCE-27005-8
183 ········-·NIST-800-53-CM-7202 ········-·NIST-800-53-CM-7
184 ········-·DISA-STIG-RHEL-06-000204203 ········-·DISA-STIG-RHEL-06-000204
185 ····204 ····
186 ····-·name:·Disable·service·atd 
187 ······service: 
188 ········name="{{item}}" 
189 ········enabled="no" 
190 ········state="stopped" 
191 ······register:·service_result 
192 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" 
193 ······with_items: 
194 ········-·atd 
195 ······tags: 
196 ········-·service_atd_disabled 
197 ········-·unknown_severity 
198 ········-·disable_strategy 
199 ········-·low_complexity 
200 ········-·low_disruption 
201 ········-·CCE-27249-2 
202 ········-·NIST-800-53-CM-7 
203 ········-·DISA-STIG-RHEL-06-000262 
204 ···· 
205 ····-·name:·Disable·service·rdisc205 ····-·name:·Disable·service·rdisc
206 ······service:206 ······service:
207 ········name="{{item}}"207 ········name="{{item}}"
208 ········enabled="no"208 ········enabled="no"
209 ········state="stopped"209 ········state="stopped"
210 ······register:·service_result210 ······register:·service_result
211 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"211 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 294, 14 lines modifiedOffset 294, 33 lines modified
294 ········-·disable_strategy294 ········-·disable_strategy
295 ········-·low_complexity295 ········-·low_complexity
296 ········-·low_disruption296 ········-·low_disruption
297 ········-·CCE-27256-7297 ········-·CCE-27256-7
298 ········-·NIST-800-53-CM-7298 ········-·NIST-800-53-CM-7
299 ········-·DISA-STIG-RHEL-06-000265299 ········-·DISA-STIG-RHEL-06-000265
300 ····300 ····
 301 ····-·name:·Disable·service·avahi-daemon
 302 ······service:
 303 ········name="{{item}}"
 304 ········enabled="no"
 305 ········state="stopped"
 306 ······register:·service_result
 307 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 308 ······with_items:
 309 ········-·avahi-daemon
 310 ······tags:
 311 ········-·service_avahi-daemon_disabled
 312 ········-·unknown_severity
 313 ········-·disable_strategy
 314 ········-·low_complexity
 315 ········-·low_disruption
 316 ········-·CCE-27087-6
 317 ········-·NIST-800-53-CM-7
 318 ········-·DISA-STIG-RHEL-06-000246
 319 ····
301 ····-·name:·Disable·SSH·Support·for·.rhosts·Files320 ····-·name:·Disable·SSH·Support·for·.rhosts·Files
302 ······lineinfile:321 ······lineinfile:
303 ········create:·yes322 ········create:·yes
304 ········dest:·/etc/ssh/sshd_config323 ········dest:·/etc/ssh/sshd_config
305 ········regexp:·^IgnoreRhosts324 ········regexp:·^IgnoreRhosts
306 ········line:·IgnoreRhosts·yes325 ········line:·IgnoreRhosts·yes
307 ········validate:·sshd·-t·-f·%s326 ········validate:·sshd·-t·-f·%s
Offset 440, 33 lines modifiedOffset 459, 14 lines modified
440 ········-·restrict_strategy459 ········-·restrict_strategy
441 ········-·low_complexity460 ········-·low_complexity
442 ········-·low_disruption461 ········-·low_disruption
443 ········-·CCE-27091-8462 ········-·CCE-27091-8
444 ········-·NIST-800-53-AC-3463 ········-·NIST-800-53-AC-3
445 ········-·DISA-STIG-RHEL-06-000236464 ········-·DISA-STIG-RHEL-06-000236
446 ····465 ····
447 ···· 
448 ····-·name:·"Allow·Only·SSH·Protocol·2" 
449 ······lineinfile: 
450 ········dest:·/etc/ssh/sshd_config 
451 ········regexp:·"^Protocol·[0-9]" 
452 ········line:·"Protocol·2" 
453 ········validate:·sshd·-t·-f·%s 
Max diff block lines reached; 22675/26927 bytes (84.21%) of diff not shown.
116 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-server.yml
    
Offset 34, 41 lines modifiedOffset 34, 41 lines modified
34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
35 ··········35 ··········
36 ···vars:36 ···vars:
37 ······sshd_idle_timeout_value:·30037 ······sshd_idle_timeout_value:·300
38 ······rsyslog_remote_loghost_address:·None38 ······rsyslog_remote_loghost_address:·None
39 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·039 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
40 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·040 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
41 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·141 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
42 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·042 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
43 ······sysctl_net_ipv4_conf_default_rp_filter_value:·143 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
44 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·044 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
45 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
46 ······sysctl_net_ipv4_tcp_syncookies_value:·146 ······sysctl_net_ipv4_tcp_syncookies_value:·1
47 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·047 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
48 ······sysctl_net_ipv4_conf_all_log_martians_value:·148 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
49 ······sysctl_net_ipv4_conf_all_rp_filter_value:·149 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
50 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·150 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
51 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·051 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
52 ······var_selinux_policy_name:·targeted52 ······var_selinux_policy_name:·targeted
53 ······var_selinux_state:·enforcing53 ······var_selinux_state:·enforcing
54 ······var_accounts_password_minlen_login_defs:·1554 ······var_accounts_password_minlen_login_defs:·15
55 ······var_accounts_minimum_age_login_defs:·7 
56 ······var_accounts_maximum_age_login_defs:·90 
57 ······var_accounts_password_warn_age_login_defs:·755 ······var_accounts_password_warn_age_login_defs:·7
 56 ······var_accounts_maximum_age_login_defs:·90
 57 ······var_accounts_minimum_age_login_defs:·7
58 ······var_password_pam_unix_remember:·558 ······var_password_pam_unix_remember:·5
59 ······var_accounts_passwords_pam_faillock_deny:·359 ······var_accounts_passwords_pam_faillock_deny:·3
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_tmout:·60063 ······var_accounts_tmout:·600
 64 ······var_removable_partition:·/dev/cdrom
64 ······var_auditd_max_log_file:·665 ······var_auditd_max_log_file:·6
65 ······var_auditd_admin_space_left_action:·single66 ······var_auditd_admin_space_left_action:·single
66 ······var_auditd_max_log_file_action:·rotate67 ······var_auditd_max_log_file_action:·rotate
67 ······var_removable_partition:·/dev/cdrom 
68 ···tasks:68 ···tasks:
69 ····-·name:·Check·if·/etc/samba/smb.conf·exists69 ····-·name:·Check·if·/etc/samba/smb.conf·exists
70 ······stat:70 ······stat:
71 ········path:·/etc/samba/smb.conf71 ········path:·/etc/samba/smb.conf
72 ······register:·st_smb72 ······register:·st_smb
73 ······tags:73 ······tags:
74 ········-·require_smb_client_signing74 ········-·require_smb_client_signing
Offset 109, 14 lines modifiedOffset 109, 81 lines modified
109 ········-·low_complexity109 ········-·low_complexity
110 ········-·low_disruption110 ········-·low_disruption
111 ········-·CCE-27093-4111 ········-·CCE-27093-4
112 ········-·NIST-800-53-AU-8(1)112 ········-·NIST-800-53-AU-8(1)
113 ········-·PCI-DSS-Req-10.4113 ········-·PCI-DSS-Req-10.4
114 ········-·DISA-STIG-RHEL-06-000247114 ········-·DISA-STIG-RHEL-06-000247
115 ····115 ····
 116 ····-·name:·Ensure·openldap-servers·is·removed
 117 ······package:
 118 ········name="{{item}}"
 119 ········state=absent
 120 ······with_items:
 121 ········-·openldap-servers
 122 ······tags:
 123 ········-·package_openldap-servers_removed
 124 ········-·unknown_severity
 125 ········-·disable_strategy
 126 ········-·low_complexity
 127 ········-·low_disruption
 128 ········-·CCE-26858-1
 129 ········-·NIST-800-53-CM-7
 130 ········-·DISA-STIG-RHEL-06-000256
 131 ····
 132 ····-·name:·Enable·service·crond
 133 ······service:
 134 ········name="{{item}}"
 135 ········enabled="yes"
 136 ········state="started"
 137 ······with_items:
 138 ········-·crond
 139 ······tags:
 140 ········-·service_crond_enabled
 141 ········-·medium_severity
 142 ········-·enable_strategy
 143 ········-·low_complexity
 144 ········-·low_disruption
 145 ········-·CCE-27070-2
 146 ········-·NIST-800-53-CM-7
 147 ········-·DISA-STIG-RHEL-06-000224
 148 ····
 149 ····-·name:·Disable·service·atd
 150 ······service:
 151 ········name="{{item}}"
 152 ········enabled="no"
 153 ········state="stopped"
 154 ······register:·service_result
 155 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 156 ······with_items:
 157 ········-·atd
 158 ······tags:
 159 ········-·service_atd_disabled
 160 ········-·unknown_severity
 161 ········-·disable_strategy
 162 ········-·low_complexity
 163 ········-·low_disruption
 164 ········-·CCE-27249-2
 165 ········-·NIST-800-53-CM-7
 166 ········-·DISA-STIG-RHEL-06-000262
 167 ····
 168 ····-·name:·Ensure·xorg-x11-server-common·is·removed
 169 ······package:
 170 ········name="{{item}}"
 171 ········state=absent
 172 ······with_items:
 173 ········-·xorg-x11-server-common
 174 ······tags:
 175 ········-·package_xorg-x11-server-common_removed
 176 ········-·unknown_severity
 177 ········-·disable_strategy
 178 ········-·low_complexity
 179 ········-·low_disruption
 180 ········-·CCE-27198-1
 181 ········-·DISA-STIG-RHEL-06-000291
 182 ····
116 ····-·name:·Ensure·rsh-server·is·removed183 ····-·name:·Ensure·rsh-server·is·removed
117 ······package:184 ······package:
118 ········name="{{item}}"185 ········name="{{item}}"
119 ········state=absent186 ········state=absent
120 ······with_items:187 ······with_items:
121 ········-·rsh-server188 ········-·rsh-server
122 ······tags:189 ······tags:
Offset 271, 65 lines modifiedOffset 338, 14 lines modified
Max diff block lines reached; 114413/118830 bytes (96.28%) of diff not shown.
115 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-standard.yml
    
Offset 35, 41 lines modifiedOffset 35, 41 lines modified
35 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."35 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
36 ··········36 ··········
37 ···vars:37 ···vars:
38 ······sshd_idle_timeout_value:·30038 ······sshd_idle_timeout_value:·300
39 ······rsyslog_remote_loghost_address:·None39 ······rsyslog_remote_loghost_address:·None
40 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·040 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
41 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·041 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
42 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·142 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
43 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_rp_filter_value:·144 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
45 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
46 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·046 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
47 ······sysctl_net_ipv4_tcp_syncookies_value:·147 ······sysctl_net_ipv4_tcp_syncookies_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·048 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_all_log_martians_value:·149 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
50 ······sysctl_net_ipv4_conf_all_rp_filter_value:·150 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
51 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·151 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
52 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·052 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
53 ······var_selinux_policy_name:·targeted53 ······var_selinux_policy_name:·targeted
54 ······var_selinux_state:·enforcing54 ······var_selinux_state:·enforcing
55 ······var_accounts_password_minlen_login_defs:·1555 ······var_accounts_password_minlen_login_defs:·15
56 ······var_accounts_minimum_age_login_defs:·7 
57 ······var_accounts_maximum_age_login_defs:·90 
58 ······var_accounts_password_warn_age_login_defs:·756 ······var_accounts_password_warn_age_login_defs:·7
 57 ······var_accounts_maximum_age_login_defs:·90
 58 ······var_accounts_minimum_age_login_defs:·7
59 ······var_password_pam_unix_remember:·559 ······var_password_pam_unix_remember:·5
60 ······var_accounts_passwords_pam_faillock_deny:·360 ······var_accounts_passwords_pam_faillock_deny:·3
61 ······var_accounts_passwords_pam_faillock_unlock_time:·60480061 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
62 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000062 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
63 ······var_password_pam_retry:·363 ······var_password_pam_retry:·3
64 ······var_accounts_tmout:·60064 ······var_accounts_tmout:·600
 65 ······var_removable_partition:·/dev/cdrom
65 ······var_auditd_max_log_file:·666 ······var_auditd_max_log_file:·6
66 ······var_auditd_admin_space_left_action:·single67 ······var_auditd_admin_space_left_action:·single
67 ······var_auditd_max_log_file_action:·rotate68 ······var_auditd_max_log_file_action:·rotate
68 ······var_removable_partition:·/dev/cdrom 
69 ···tasks:69 ···tasks:
70 ····-·name:·Check·if·/etc/samba/smb.conf·exists70 ····-·name:·Check·if·/etc/samba/smb.conf·exists
71 ······stat:71 ······stat:
72 ········path:·/etc/samba/smb.conf72 ········path:·/etc/samba/smb.conf
73 ······register:·st_smb73 ······register:·st_smb
74 ······tags:74 ······tags:
75 ········-·require_smb_client_signing75 ········-·require_smb_client_signing
Offset 110, 14 lines modifiedOffset 110, 66 lines modified
110 ········-·low_complexity110 ········-·low_complexity
111 ········-·low_disruption111 ········-·low_disruption
112 ········-·CCE-27093-4112 ········-·CCE-27093-4
113 ········-·NIST-800-53-AU-8(1)113 ········-·NIST-800-53-AU-8(1)
114 ········-·PCI-DSS-Req-10.4114 ········-·PCI-DSS-Req-10.4
115 ········-·DISA-STIG-RHEL-06-000247115 ········-·DISA-STIG-RHEL-06-000247
116 ····116 ····
 117 ····-·name:·Ensure·openldap-servers·is·removed
 118 ······package:
 119 ········name="{{item}}"
 120 ········state=absent
 121 ······with_items:
 122 ········-·openldap-servers
 123 ······tags:
 124 ········-·package_openldap-servers_removed
 125 ········-·unknown_severity
 126 ········-·disable_strategy
 127 ········-·low_complexity
 128 ········-·low_disruption
 129 ········-·CCE-26858-1
 130 ········-·NIST-800-53-CM-7
 131 ········-·DISA-STIG-RHEL-06-000256
 132 ····
 133 ····-·name:·Enable·service·crond
 134 ······service:
 135 ········name="{{item}}"
 136 ········enabled="yes"
 137 ········state="started"
 138 ······with_items:
 139 ········-·crond
 140 ······tags:
 141 ········-·service_crond_enabled
 142 ········-·medium_severity
 143 ········-·enable_strategy
 144 ········-·low_complexity
 145 ········-·low_disruption
 146 ········-·CCE-27070-2
 147 ········-·NIST-800-53-CM-7
 148 ········-·DISA-STIG-RHEL-06-000224
 149 ····
 150 ····-·name:·Disable·service·atd
 151 ······service:
 152 ········name="{{item}}"
 153 ········enabled="no"
 154 ········state="stopped"
 155 ······register:·service_result
 156 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 157 ······with_items:
 158 ········-·atd
 159 ······tags:
 160 ········-·service_atd_disabled
 161 ········-·unknown_severity
 162 ········-·disable_strategy
 163 ········-·low_complexity
 164 ········-·low_disruption
 165 ········-·CCE-27249-2
 166 ········-·NIST-800-53-CM-7
 167 ········-·DISA-STIG-RHEL-06-000262
 168 ····
117 ····-·name:·Ensure·rsh-server·is·removed169 ····-·name:·Ensure·rsh-server·is·removed
118 ······package:170 ······package:
119 ········name="{{item}}"171 ········name="{{item}}"
120 ········state=absent172 ········state=absent
121 ······with_items:173 ······with_items:
122 ········-·rsh-server174 ········-·rsh-server
123 ······tags:175 ······tags:
Offset 272, 50 lines modifiedOffset 324, 14 lines modified
272 ········-·disable_strategy324 ········-·disable_strategy
273 ········-·low_complexity325 ········-·low_complexity
274 ········-·low_disruption326 ········-·low_disruption
275 ········-·CCE-27005-8327 ········-·CCE-27005-8
276 ········-·NIST-800-53-CM-7328 ········-·NIST-800-53-CM-7
277 ········-·DISA-STIG-RHEL-06-000204329 ········-·DISA-STIG-RHEL-06-000204
278 ····330 ····
279 ····-·name:·Enable·service·crond 
280 ······service: 
281 ········name="{{item}}" 
282 ········enabled="yes" 
283 ········state="started" 
284 ······with_items: 
285 ········-·crond 
286 ······tags: 
Max diff block lines reached; 112847/118018 bytes (95.62%) of diff not shown.
148 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-stig-rhel6-disa.yml
    
Offset 40, 49 lines modifiedOffset 40, 49 lines modified
40 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."40 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
41 ··········41 ··········
42 ···vars:42 ···vars:
43 ······sshd_idle_timeout_value:·90043 ······sshd_idle_timeout_value:·900
44 ······rsyslog_remote_loghost_address:·None44 ······rsyslog_remote_loghost_address:·None
45 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·045 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
46 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·046 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
47 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·147 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
48 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·048 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_default_rp_filter_value:·149 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
50 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·050 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
51 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·051 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
52 ······sysctl_net_ipv4_tcp_syncookies_value:·152 ······sysctl_net_ipv4_tcp_syncookies_value:·1
53 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·053 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
54 ······sysctl_net_ipv4_conf_all_log_martians_value:·154 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
55 ······sysctl_net_ipv4_conf_all_rp_filter_value:·155 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
56 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·156 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
57 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·057 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
58 ······var_selinux_policy_name:·targeted58 ······var_selinux_policy_name:·targeted
59 ······var_selinux_state:·enforcing59 ······var_selinux_state:·enforcing
60 ······var_accounts_password_minlen_login_defs:·1560 ······var_accounts_password_minlen_login_defs:·15
61 ······var_accounts_minimum_age_login_defs:·1 
62 ······var_accounts_maximum_age_login_defs:·60 
63 ······var_accounts_password_warn_age_login_defs:·761 ······var_accounts_password_warn_age_login_defs:·7
 62 ······var_accounts_maximum_age_login_defs:·60
 63 ······var_accounts_minimum_age_login_defs:·1
64 ······var_account_disable_post_pw_expiration:·3564 ······var_account_disable_post_pw_expiration:·35
65 ······var_password_pam_unix_remember:·565 ······var_password_pam_unix_remember:·5
66 ······var_accounts_passwords_pam_faillock_deny:·366 ······var_accounts_passwords_pam_faillock_deny:·3
67 ······var_accounts_passwords_pam_faillock_unlock_time:·60480067 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
68 ······var_accounts_passwords_pam_faillock_fail_interval:·90068 ······var_accounts_passwords_pam_faillock_fail_interval:·900
69 ······var_password_pam_maxrepeat:·369 ······var_password_pam_maxrepeat:·3
70 ······var_password_pam_retry:·370 ······var_password_pam_retry:·3
71 ······var_accounts_user_umask:·07771 ······var_accounts_user_umask:·077
72 ······var_accounts_tmout:·60072 ······var_accounts_tmout:·600
73 ······var_accounts_max_concurrent_login_sessions:·1073 ······var_accounts_max_concurrent_login_sessions:·10
 74 ······var_removable_partition:·/dev/cdrom
 75 ······var_removable_partition:·/dev/cdrom
 76 ······var_removable_partition:·/dev/cdrom
74 ······var_auditd_max_log_file:·677 ······var_auditd_max_log_file:·6
75 ······var_auditd_action_mail_acct:·admin78 ······var_auditd_action_mail_acct:·admin
76 ······var_auditd_space_left_action:·suspend 
77 ······var_auditd_admin_space_left_action:·single79 ······var_auditd_admin_space_left_action:·single
 80 ······var_auditd_space_left_action:·suspend
78 ······var_auditd_max_log_file_action:·rotate81 ······var_auditd_max_log_file_action:·rotate
79 ······var_removable_partition:·/dev/cdrom 
80 ······var_removable_partition:·/dev/cdrom 
81 ······var_removable_partition:·/dev/cdrom 
82 ···tasks:82 ···tasks:
83 ····-·name:·Check·if·/etc/samba/smb.conf·exists83 ····-·name:·Check·if·/etc/samba/smb.conf·exists
84 ······stat:84 ······stat:
85 ········path:·/etc/samba/smb.conf85 ········path:·/etc/samba/smb.conf
86 ······register:·st_smb86 ······register:·st_smb
87 ······tags:87 ······tags:
88 ········-·require_smb_client_signing88 ········-·require_smb_client_signing
Offset 105, 63 lines modifiedOffset 105, 98 lines modified
105 ········-·unknown_severity105 ········-·unknown_severity
106 ········-·configure_strategy106 ········-·configure_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·medium_disruption108 ········-·medium_disruption
109 ········-·CCE-26328-5109 ········-·CCE-26328-5
110 ········-·DISA-STIG-RHEL-06-000272110 ········-·DISA-STIG-RHEL-06-000272
111 ····111 ····
112 ····-·name:·Ensure·sendmail·is·removed112 ····-·name:·Enable·service·ntpd
 113 ······service:
 114 ········name="{{item}}"
 115 ········enabled="yes"
 116 ········state="started"
 117 ······with_items:
 118 ········-·ntpd
 119 ······tags:
 120 ········-·service_ntpd_enabled
 121 ········-·medium_severity
 122 ········-·enable_strategy
 123 ········-·low_complexity
 124 ········-·low_disruption
 125 ········-·CCE-27093-4
 126 ········-·NIST-800-53-AU-8(1)
 127 ········-·PCI-DSS-Req-10.4
 128 ········-·DISA-STIG-RHEL-06-000247
 129 ····
 130 ····-·name:·Ensure·openldap-servers·is·removed
113 ······package:131 ······package:
114 ········name="{{item}}"132 ········name="{{item}}"
115 ········state=absent133 ········state=absent
116 ······with_items:134 ······with_items:
117 ········-·sendmail135 ········-·openldap-servers
118 ······tags:136 ······tags:
119 ········-·package_sendmail_removed137 ········-·package_openldap-servers_removed
120 ········-·medium_severity138 ········-·unknown_severity
121 ········-·disable_strategy139 ········-·disable_strategy
122 ········-·low_complexity140 ········-·low_complexity
123 ········-·low_disruption141 ········-·low_disruption
124 ········-·CCE-27515-6142 ········-·CCE-26858-1
125 ········-·NIST-800-53-CM-7143 ········-·NIST-800-53-CM-7
126 ········-·DISA-STIG-RHEL-06-000288144 ········-·DISA-STIG-RHEL-06-000256
127 ····145 ····
128 ····-·name:·Enable·service·postfix146 ····-·name:·Enable·service·crond
129 ······service:147 ······service:
130 ········name="{{item}}"148 ········name="{{item}}"
131 ········enabled="yes"149 ········enabled="yes"
132 ········state="started"150 ········state="started"
133 ······with_items:151 ······with_items:
134 ········-·postfix152 ········-·crond
135 ······tags:153 ······tags:
136 ········-·service_postfix_enabled154 ········-·service_crond_enabled
137 ········-·unknown_severity155 ········-·medium_severity
138 ········-·enable_strategy156 ········-·enable_strategy
139 ········-·low_complexity157 ········-·low_complexity
140 ········-·low_disruption158 ········-·low_disruption
141 ········-·CCE-26325-1159 ········-·CCE-27070-2
142 ········-·DISA-STIG-RHEL-06-000287160 ········-·NIST-800-53-CM-7
 161 ········-·DISA-STIG-RHEL-06-000224
143 ····162 ····
144 ····-·name:·Enable·service·ntpd163 ····-·name:·Disable·service·atd
145 ······service:164 ······service:
146 ········name="{{item}}"165 ········name="{{item}}"
147 ········enabled="yes"166 ········enabled="no"
148 ········state="started"167 ········state="stopped"
 168 ······register:·service_result
 169 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
149 ······with_items:170 ······with_items:
150 ········-·ntpd171 ········-·atd
151 ······tags:172 ······tags:
152 ········-·service_ntpd_enabled173 ········-·service_atd_disabled
153 ········-·medium_severity174 ········-·unknown_severity
154 ········-·enable_strategy175 ········-·disable_strategy
Max diff block lines reached; 146690/151852 bytes (96.60%) of diff not shown.
161 KB
./usr/share/scap-security-guide/ansible/ssg-centos6-role-usgcb-rhel6-server.yml
    
Offset 35, 85 lines modifiedOffset 35, 72 lines modified
35 ··········35 ··········
36 ···vars:36 ···vars:
37 ······sshd_idle_timeout_value:·30037 ······sshd_idle_timeout_value:·300
38 ······rsyslog_remote_loghost_address:·None38 ······rsyslog_remote_loghost_address:·None
39 ······sysctl_net_ipv6_conf_default_accept_ra_value:·039 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
40 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·040 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
41 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·041 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
42 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·142 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
43 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_rp_filter_value:·144 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
45 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
46 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 
47 ······sysctl_net_ipv4_tcp_syncookies_value:·146 ······sysctl_net_ipv4_tcp_syncookies_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·047 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_all_log_martians_value:·148 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
50 ······sysctl_net_ipv4_conf_all_rp_filter_value:·149 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
51 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·150 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
 51 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
52 ······var_selinux_policy_name:·targeted52 ······var_selinux_policy_name:·targeted
53 ······var_selinux_state:·enforcing53 ······var_selinux_state:·enforcing
54 ······var_accounts_password_minlen_login_defs:·1254 ······var_accounts_password_minlen_login_defs:·12
55 ······var_accounts_maximum_age_login_defs:·60 
56 ······var_accounts_password_warn_age_login_defs:·1455 ······var_accounts_password_warn_age_login_defs:·14
 56 ······var_accounts_maximum_age_login_defs:·60
57 ······var_account_disable_post_pw_expiration:·3057 ······var_account_disable_post_pw_expiration:·30
58 ······var_password_pam_unix_remember:·2458 ······var_password_pam_unix_remember:·24
59 ······var_accounts_passwords_pam_faillock_deny:·559 ······var_accounts_passwords_pam_faillock_deny:·5
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_user_umask:·07763 ······var_accounts_user_umask:·077
64 ······var_removable_partition:·/dev/cdrom64 ······var_removable_partition:·/dev/cdrom
65 ······var_removable_partition:·/dev/cdrom65 ······var_removable_partition:·/dev/cdrom
66 ······var_removable_partition:·/dev/cdrom66 ······var_removable_partition:·/dev/cdrom
67 ···tasks:67 ···tasks:
68 ····-·name:·Disable·service·smb68 ····-·name:·Disable·service·vsftpd
69 ······service:69 ······service:
70 ········name="{{item}}"70 ········name="{{item}}"
71 ········enabled="no"71 ········enabled="no"
72 ········state="stopped"72 ········state="stopped"
73 ······register:·service_result73 ······register:·service_result
74 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"74 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
75 ······with_items:75 ······with_items:
76 ········-·smb76 ········-·vsftpd
77 ······tags:77 ······tags:
78 ········-·service_smb_disabled78 ········-·service_vsftpd_disabled
79 ········-·unknown_severity79 ········-·unknown_severity
80 ········-·disable_strategy80 ········-·disable_strategy
81 ········-·low_complexity81 ········-·low_complexity
82 ········-·low_disruption82 ········-·low_disruption
83 ········-·CCE-27143-783 ········-·CCE-26948-0
84 ····84 ········-·NIST-800-53-CM-7
85 ····-·name:·Check·if·/etc/samba/smb.conf·exists 
86 ······stat: 
87 ········path:·/etc/samba/smb.conf 
88 ······register:·st_smb 
89 ······tags: 
90 ········-·require_smb_client_signing 
91 ········-·unknown_severity 
92 ········-·configure_strategy 
93 ········-·low_complexity 
94 ········-·medium_disruption 
95 ········-·CCE-26328-5 
96 ········-·DISA-STIG-RHEL-06-000272 
97 ····85 ····
98 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient86 ····-·name:·Ensure·vsftpd·is·removed
99 ······lineinfile:87 ······package:
100 ········dest:·/etc/samba/smb.conf88 ········name="{{item}}"
101 ········line:·client·signing·=·mandatory89 ········state=absent
102 ········state:·present90 ······with_items:
103 ········insertafter:·[global]91 ········-·vsftpd
104 ······when:·st_smb.stat.exists 
105 ······tags:92 ······tags:
106 ········-·require_smb_client_signing93 ········-·package_vsftpd_removed
107 ········-·unknown_severity94 ········-·unknown_severity
108 ········-·configure_strategy95 ········-·disable_strategy
109 ········-·low_complexity96 ········-·low_complexity
110 ········-·medium_disruption97 ········-·low_disruption
111 ········-·CCE-26328-598 ········-·CCE-26687-4
112 ········-·DISA-STIG-RHEL-06-00027299 ········-·NIST-800-53-CM-7
113 ····100 ····
114 ····-·name:·Disable·service·httpd101 ····-·name:·Disable·service·httpd
115 ······service:102 ······service:
116 ········name="{{item}}"103 ········name="{{item}}"
117 ········enabled="no"104 ········enabled="no"
118 ········state="stopped"105 ········state="stopped"
119 ······register:·service_result106 ······register:·service_result
Offset 140, 62 lines modifiedOffset 127, 92 lines modified
140 ········-·unknown_severity127 ········-·unknown_severity
141 ········-·disable_strategy128 ········-·disable_strategy
142 ········-·low_complexity129 ········-·low_complexity
143 ········-·low_disruption130 ········-·low_disruption
144 ········-·CCE-27133-8131 ········-·CCE-27133-8
145 ········-·NIST-800-53-CM-7132 ········-·NIST-800-53-CM-7
146 ····133 ····
147 ····-·name:·Ensure·sendmail·is·removed134 ····-·name:·Disable·service·named
148 ······package:135 ······service:
149 ········name="{{item}}"136 ········name="{{item}}"
150 ········state=absent137 ········enabled="no"
 138 ········state="stopped"
 139 ······register:·service_result
 140 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
151 ······with_items:141 ······with_items:
152 ········-·sendmail142 ········-·named
153 ······tags:143 ······tags:
154 ········-·package_sendmail_removed144 ········-·service_named_disabled
155 ········-·medium_severity145 ········-·unknown_severity
156 ········-·disable_strategy146 ········-·disable_strategy
157 ········-·low_complexity147 ········-·low_complexity
158 ········-·low_disruption148 ········-·low_disruption
159 ········-·CCE-27515-6149 ········-·CCE-26873-0
160 ········-·NIST-800-53-CM-7150 ········-·NIST-800-53-CM-7
161 ········-·DISA-STIG-RHEL-06-000288 
162 ····151 ····
163 ····-·name:·Ensure·dhcp·is·removed152 ····-·name:·Ensure·bind·is·removed
164 ······package:153 ······package:
165 ········name="{{item}}"154 ········name="{{item}}"
166 ········state=absent155 ········state=absent
167 ······with_items:156 ······with_items:
168 ········-·dhcp157 ········-·bind
169 ······tags:158 ······tags:
170 ········-·package_dhcp_removed159 ········-·package_bind_removed
171 ········-·medium_severity160 ········-·unknown_severity
172 ········-·disable_strategy161 ········-·disable_strategy
173 ········-·low_complexity162 ········-·low_complexity
174 ········-·low_disruption163 ········-·low_disruption
175 ········-·CCE-27120-5164 ········-·CCE-27030-6
Max diff block lines reached; 159145/164250 bytes (96.89%) of diff not shown.
100 KB
./usr/share/scap-security-guide/ansible/ssg-centos7-role-C2S.yml
Ordering differences only
    
Offset 46, 26 lines modifiedOffset 46, 26 lines modified
46 ······sshd_idle_timeout_value:·720046 ······sshd_idle_timeout_value:·7200
47 ······rsyslog_remote_loghost_address:·logcollector47 ······rsyslog_remote_loghost_address:·logcollector
48 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·048 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv6_conf_default_accept_ra_value:·049 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
50 ······sysctl_net_ipv6_conf_all_accept_ra_value:·050 ······sysctl_net_ipv6_conf_all_accept_ra_value:·0
51 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·051 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
52 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·052 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
53 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·153 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
54 ······sysctl_net_ipv4_conf_default_log_martians_value:·154 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
55 ······sysctl_net_ipv4_conf_default_rp_filter_value:·155 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
56 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·056 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
57 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·057 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
58 ······sysctl_net_ipv4_tcp_syncookies_value:·158 ······sysctl_net_ipv4_tcp_syncookies_value:·1
59 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·059 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
60 ······sysctl_net_ipv4_conf_all_log_martians_value:·160 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
61 ······sysctl_net_ipv4_conf_all_rp_filter_value:·161 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
62 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·162 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
63 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·063 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
64 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·064 ······sysctl_net_ipv4_conf_default_log_martians_value:·1
65 ······var_selinux_policy_name:·targeted65 ······var_selinux_policy_name:·targeted
66 ······var_selinux_state:·enforcing66 ······var_selinux_state:·enforcing
67 ······var_accounts_password_warn_age_login_defs:·767 ······var_accounts_password_warn_age_login_defs:·7
68 ······var_accounts_minimum_age_login_defs:·768 ······var_accounts_minimum_age_login_defs:·7
69 ······var_accounts_maximum_age_login_defs:·9069 ······var_accounts_maximum_age_login_defs:·90
70 ······var_account_disable_post_pw_expiration:·3070 ······var_account_disable_post_pw_expiration:·30
71 ······var_password_pam_unix_remember:·571 ······var_password_pam_unix_remember:·5
Offset 274, 14 lines modifiedOffset 274, 30 lines modified
274 ········-·disable_strategy274 ········-·disable_strategy
275 ········-·low_complexity275 ········-·low_complexity
276 ········-·low_disruption276 ········-·low_disruption
277 ········-·CCE-80212-4277 ········-·CCE-80212-4
278 ········-·NIST-800-53-AC-17(8)278 ········-·NIST-800-53-AC-17(8)
279 ········-·NIST-800-53-CM-7279 ········-·NIST-800-53-CM-7
280 ····280 ····
 281 ····-·name:·Ensure·tcp_wrappers·is·installed
 282 ······package:
 283 ········name="{{item}}"
 284 ········state=present
 285 ······with_items:
 286 ········-·tcp_wrappers
 287 ······tags:
 288 ········-·package_tcp_wrappers_installed
 289 ········-·medium_severity
 290 ········-·enable_strategy
 291 ········-·low_complexity
 292 ········-·low_disruption
 293 ········-·CCE-27361-5
 294 ········-·NIST-800-53-CM-6(b)
 295 ········-·DISA-STIG-RHEL-07-TBD
 296 ····
281 ····-·name:·Disable·service·xinetd297 ····-·name:·Disable·service·xinetd
282 ······service:298 ······service:
283 ········name="{{item}}"299 ········name="{{item}}"
284 ········enabled="no"300 ········enabled="no"
285 ········state="stopped"301 ········state="stopped"
286 ······register:·service_result302 ······register:·service_result
287 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"303 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 294, 30 lines modifiedOffset 310, 14 lines modified
294 ········-·low_complexity310 ········-·low_complexity
295 ········-·low_disruption311 ········-·low_disruption
296 ········-·CCE-27443-1312 ········-·CCE-27443-1
297 ········-·NIST-800-53-AC-17(8)313 ········-·NIST-800-53-AC-17(8)
298 ········-·NIST-800-53-CM-7314 ········-·NIST-800-53-CM-7
299 ········-·NIST-800-171-3.4.7315 ········-·NIST-800-171-3.4.7
300 ····316 ····
301 ····-·name:·Ensure·tcp_wrappers·is·installed 
302 ······package: 
303 ········name="{{item}}" 
304 ········state=present 
305 ······with_items: 
306 ········-·tcp_wrappers 
307 ······tags: 
308 ········-·package_tcp_wrappers_installed 
309 ········-·medium_severity 
310 ········-·enable_strategy 
311 ········-·low_complexity 
312 ········-·low_disruption 
313 ········-·CCE-27361-5 
314 ········-·NIST-800-53-CM-6(b) 
315 ········-·DISA-STIG-RHEL-07-TBD 
316 ···· 
317 ····-·name:·Ensure·talk·is·removed317 ····-·name:·Ensure·talk·is·removed
318 ······package:318 ······package:
319 ········name="{{item}}"319 ········name="{{item}}"
320 ········state=absent320 ········state=absent
321 ······with_items:321 ······with_items:
322 ········-·talk322 ········-·talk
323 ······tags:323 ······tags:
Offset 338, 14 lines modifiedOffset 338, 31 lines modified
338 ········-·package_talk-server_removed338 ········-·package_talk-server_removed
339 ········-·medium_severity339 ········-·medium_severity
340 ········-·disable_strategy340 ········-·disable_strategy
341 ········-·low_complexity341 ········-·low_complexity
342 ········-·low_disruption342 ········-·low_disruption
343 ········-·CCE-27210-4343 ········-·CCE-27210-4
344 ····344 ····
 345 ····-·name:·Disable·service·dovecot
 346 ······service:
 347 ········name="{{item}}"
 348 ········enabled="no"
 349 ········state="stopped"
 350 ······register:·service_result
 351 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 352 ······with_items:
 353 ········-·dovecot
 354 ······tags:
 355 ········-·service_dovecot_disabled
 356 ········-·unknown_severity
 357 ········-·disable_strategy
 358 ········-·low_complexity
 359 ········-·low_disruption
 360 ········-·CCE-80294-2
 361 ····
345 ····-·name:·Disable·service·vsftpd362 ····-·name:·Disable·service·vsftpd
346 ······service:363 ······service:
347 ········name="{{item}}"364 ········name="{{item}}"
348 ········enabled="no"365 ········enabled="no"
349 ········state="stopped"366 ········state="stopped"
350 ······register:·service_result367 ······register:·service_result
351 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"368 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 496, 31 lines modifiedOffset 513, 14 lines modified
496 ········-·medium_severity513 ········-·medium_severity
497 ········-·disable_strategy514 ········-·disable_strategy
498 ········-·low_complexity515 ········-·low_complexity
499 ········-·low_disruption516 ········-·low_disruption
500 ········-·CCE-80330-4517 ········-·CCE-80330-4
501 ········-·NIST-800-53-CM-7518 ········-·NIST-800-53-CM-7
Max diff block lines reached; 97763/102303 bytes (95.56%) of diff not shown.
69.1 KB
./usr/share/scap-security-guide/ansible/ssg-centos7-role-cjis.yml
Ordering differences only
    
Offset 37, 28 lines modifiedOffset 37, 28 lines modified
37 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."37 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
38 ··········38 ··········
39 ···vars:39 ···vars:
40 ······sshd_idle_timeout_value:·180040 ······sshd_idle_timeout_value:·1800
41 ······sshd_listening_port:·2241 ······sshd_listening_port:·22
42 ······inactivity_timeout_value:·180042 ······inactivity_timeout_value:·1800
43 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·043 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
44 ······sysctl_net_ipv4_tcp_syncookies_value:·1 
45 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 
46 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·144 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
47 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·045 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
 46 ······sysctl_net_ipv4_tcp_syncookies_value:·1
 47 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
48 ······var_accounts_minimum_age_login_defs:·148 ······var_accounts_minimum_age_login_defs:·1
49 ······var_account_disable_post_pw_expiration:·049 ······var_account_disable_post_pw_expiration:·0
50 ······var_password_pam_minlen:·1250 ······var_password_pam_minlen:·12
51 ······var_password_pam_difok:·651 ······var_password_pam_difok:·6
52 ······var_accounts_max_concurrent_login_sessions:·352 ······var_accounts_max_concurrent_login_sessions:·3
53 ······var_auditd_max_log_file:·153 ······var_auditd_max_log_file:·1
54 ······var_auditd_action_mail_acct:·admin54 ······var_auditd_action_mail_acct:·admin
55 ······var_auditd_space_left_action:·suspend 
56 ······var_auditd_admin_space_left_action:·suspend55 ······var_auditd_admin_space_left_action:·suspend
57 ······var_auditd_max_log_file_action:·rotate56 ······var_auditd_max_log_file_action:·rotate
 57 ······var_auditd_space_left_action:·suspend
58 ···tasks:58 ···tasks:
59 ····-·name:·Disable·SSH·Access·via·Empty·Passwords59 ····-·name:·Disable·SSH·Access·via·Empty·Passwords
60 ······lineinfile:60 ······lineinfile:
61 ········create:·yes61 ········create:·yes
62 ········dest:·/etc/ssh/sshd_config62 ········dest:·/etc/ssh/sshd_config
63 ········regexp:·^PermitEmptyPasswords63 ········regexp:·^PermitEmptyPasswords
64 ········line:·PermitEmptyPasswords·no64 ········line:·PermitEmptyPasswords·no
Offset 96, 14 lines modifiedOffset 96, 39 lines modified
96 ········-·NIST-800-53-AC-2(5)96 ········-·NIST-800-53-AC-2(5)
97 ········-·NIST-800-53-SA-897 ········-·NIST-800-53-SA-8
98 ········-·NIST-800-53-AC-1298 ········-·NIST-800-53-AC-12
99 ········-·NIST-800-171-3.1.1199 ········-·NIST-800-171-3.1.11
100 ········-·CJIS-5.5.6100 ········-·CJIS-5.5.6
101 ········-·DISA-STIG-RHEL-07-040340101 ········-·DISA-STIG-RHEL-07-040340
102 ····102 ····
 103 ····
 104 ····
 105 ····-·name:·Set·SSH·Idle·Timeout·Interval
 106 ······lineinfile:
 107 ········create:·yes
 108 ········dest:·/etc/ssh/sshd_config
 109 ········regexp:·^ClientAliveInterval
 110 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"
 111 ········validate:·sshd·-t·-f·%s
 112 ······#notify:·restart·sshd
 113 ······tags:
 114 ········-·sshd_set_idle_timeout
 115 ········-·unknown_severity
 116 ········-·restrict_strategy
 117 ········-·low_complexity
 118 ········-·low_disruption
 119 ········-·CCE-27433-2
 120 ········-·NIST-800-53-AC-2(5)
 121 ········-·NIST-800-53-SA-8(i)
 122 ········-·NIST-800-53-AC-12
 123 ········-·NIST-800-171-3.1.11
 124 ········-·PCI-DSS-Req-8.1.8
 125 ········-·CJIS-5.5.6
 126 ········-·DISA-STIG-RHEL-07-040320
 127 ····
103 ····-·name:·Enable·SSH·Warning·Banner128 ····-·name:·Enable·SSH·Warning·Banner
104 ······lineinfile:129 ······lineinfile:
105 ········create:·yes130 ········create:·yes
106 ········dest:·/etc/ssh/sshd_config131 ········dest:·/etc/ssh/sshd_config
107 ········regexp:·^Banner132 ········regexp:·^Banner
108 ········line:·Banner·/etc/issue133 ········line:·Banner·/etc/issue
109 ········validate:·sshd·-t·-f·%s134 ········validate:·sshd·-t·-f·%s
Offset 119, 33 lines modifiedOffset 144, 14 lines modified
119 ········-·NIST-800-53-AC-8(c)(1)144 ········-·NIST-800-53-AC-8(c)(1)
120 ········-·NIST-800-53-AC-8(c)(2)145 ········-·NIST-800-53-AC-8(c)(2)
121 ········-·NIST-800-53-AC-8(c)(3)146 ········-·NIST-800-53-AC-8(c)(3)
122 ········-·NIST-800-171-3.1.9147 ········-·NIST-800-171-3.1.9
123 ········-·CJIS-5.5.6148 ········-·CJIS-5.5.6
124 ········-·DISA-STIG-RHEL-07-040170149 ········-·DISA-STIG-RHEL-07-040170
125 ····150 ····
126 ····-·name:·Do·Not·Allow·SSH·Environment·Options 
127 ······lineinfile: 
128 ········create:·yes 
129 ········dest:·/etc/ssh/sshd_config 
130 ········regexp:·^PermitUserEnvironment 
131 ········line:·PermitUserEnvironment·no 
132 ········validate:·sshd·-t·-f·%s 
133 ······tags: 
134 ········-·sshd_do_not_permit_user_env 
135 ········-·medium_severity 
136 ········-·restrict_strategy 
137 ········-·low_complexity 
138 ········-·low_disruption 
139 ········-·CCE-27363-1 
140 ········-·NIST-800-53-CM-6(b) 
141 ········-·NIST-800-171-3.1.12 
142 ········-·CJIS-5.5.6 
143 ········-·DISA-STIG-RHEL-07-010460 
144 ···· 
145 ····151 ····
146 ····-·name:·"Allow·Only·SSH·Protocol·2"152 ····-·name:·"Allow·Only·SSH·Protocol·2"
147 ······lineinfile:153 ······lineinfile:
148 ········dest:·/etc/ssh/sshd_config154 ········dest:·/etc/ssh/sshd_config
149 ········regexp:·"^Protocol·[0-9]"155 ········regexp:·"^Protocol·[0-9]"
150 ········line:·"Protocol·2"156 ········line:·"Protocol·2"
151 ········validate:·sshd·-t·-f·%s157 ········validate:·sshd·-t·-f·%s
Offset 180, 38 lines modifiedOffset 186, 32 lines modified
180 ········-·CCE-27377-1186 ········-·CCE-27377-1
181 ········-·NIST-800-53-AC-3187 ········-·NIST-800-53-AC-3
182 ········-·NIST-800-53-CM-6(a)188 ········-·NIST-800-53-CM-6(a)
183 ········-·NIST-800-171-3.1.12189 ········-·NIST-800-171-3.1.12
184 ········-·CJIS-5.5.6190 ········-·CJIS-5.5.6
185 ········-·DISA-STIG-RHEL-07-040350191 ········-·DISA-STIG-RHEL-07-040350
186 ····192 ····
187 ····193 ····-·name:·Do·Not·Allow·SSH·Environment·Options
188 ···· 
189 ····-·name:·Set·SSH·Idle·Timeout·Interval 
190 ······lineinfile:194 ······lineinfile:
191 ········create:·yes195 ········create:·yes
192 ········dest:·/etc/ssh/sshd_config196 ········dest:·/etc/ssh/sshd_config
193 ········regexp:·^ClientAliveInterval197 ········regexp:·^PermitUserEnvironment
194 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"198 ········line:·PermitUserEnvironment·no
195 ········validate:·sshd·-t·-f·%s199 ········validate:·sshd·-t·-f·%s
196 ······#notify:·restart·sshd 
197 ······tags:200 ······tags:
198 ········-·sshd_set_idle_timeout201 ········-·sshd_do_not_permit_user_env
199 ········-·unknown_severity202 ········-·medium_severity
200 ········-·restrict_strategy203 ········-·restrict_strategy
Max diff block lines reached; 66416/70623 bytes (94.04%) of diff not shown.
100 KB
./usr/share/scap-security-guide/ansible/ssg-centos7-role-hipaa.yml
Ordering differences only
    
Offset 220, 14 lines modifiedOffset 220, 28 lines modified
220 ········-·low_complexity220 ········-·low_complexity
221 ········-·low_disruption221 ········-·low_disruption
222 ········-·CCE-27165-0222 ········-·CCE-27165-0
223 ········-·NIST-800-53-AC-17(8)223 ········-·NIST-800-53-AC-17(8)
224 ········-·NIST-800-53-CM-7(a)224 ········-·NIST-800-53-CM-7(a)
225 ········-·DISA-STIG-RHEL-07-021710225 ········-·DISA-STIG-RHEL-07-021710
226 ····226 ····
 227 ····-·name:·Ensure·ypbind·is·removed
 228 ······package:
 229 ········name="{{item}}"
 230 ········state=absent
 231 ······with_items:
 232 ········-·ypbind
 233 ······tags:
 234 ········-·package_ypbind_removed
 235 ········-·unknown_severity
 236 ········-·disable_strategy
 237 ········-·low_complexity
 238 ········-·low_disruption
 239 ········-·CCE-27396-1
 240 ····
227 ····-·name:·Disable·service·ypbind241 ····-·name:·Disable·service·ypbind
228 ······service:242 ······service:
229 ········name="{{item}}"243 ········name="{{item}}"
230 ········enabled="no"244 ········enabled="no"
231 ········state="stopped"245 ········state="stopped"
232 ······register:·service_result246 ······register:·service_result
233 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"247 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 239, 28 lines modifiedOffset 253, 14 lines modified
239 ········-·disable_strategy253 ········-·disable_strategy
240 ········-·low_complexity254 ········-·low_complexity
241 ········-·low_disruption255 ········-·low_disruption
242 ········-·CCE-27385-4256 ········-·CCE-27385-4
243 ········-·NIST-800-53-AC-17(8)257 ········-·NIST-800-53-AC-17(8)
244 ········-·NIST-800-53-CM-7258 ········-·NIST-800-53-CM-7
245 ····259 ····
246 ····-·name:·Ensure·ypbind·is·removed 
247 ······package: 
248 ········name="{{item}}" 
249 ········state=absent 
250 ······with_items: 
251 ········-·ypbind 
252 ······tags: 
253 ········-·package_ypbind_removed 
254 ········-·unknown_severity 
255 ········-·disable_strategy 
256 ········-·low_complexity 
257 ········-·low_disruption 
258 ········-·CCE-27396-1 
259 ···· 
260 ····-·name:·Ensure·ypserv·is·removed260 ····-·name:·Ensure·ypserv·is·removed
261 ······package:261 ······package:
262 ········name="{{item}}"262 ········name="{{item}}"
263 ········state=absent263 ········state=absent
264 ······with_items:264 ······with_items:
265 ········-·ypserv265 ········-·ypserv
266 ······tags:266 ······tags:
Offset 389, 14 lines modifiedOffset 389, 33 lines modified
389 ········-·low_disruption389 ········-·low_disruption
390 ········-·CCE-80258-7390 ········-·CCE-80258-7
391 ········-·NIST-800-53-AC-17(8)391 ········-·NIST-800-53-AC-17(8)
392 ········-·NIST-800-53-CM-7392 ········-·NIST-800-53-CM-7
393 ········-·NIST-800-53-CM-6(b)393 ········-·NIST-800-53-CM-6(b)
394 ········-·DISA-STIG-RHEL-07-021300394 ········-·DISA-STIG-RHEL-07-021300
395 ····395 ····
 396 ····-·name:·"Enable·Use·of·Strict·Mode·Checking"
 397 ······lineinfile:
 398 ········create:·yes
 399 ········dest:·/etc/ssh/sshd_config
 400 ········regexp:·(?i)^#?strictmodes
 401 ········line:·StrictModes·yes
 402 ········validate:·sshd·-t·-f·%s
 403 ······#notify:·restart·sshd
 404 ······tags:
 405 ········-·sshd_enable_strictmodes
 406 ········-·medium_severity
 407 ········-·restrict_strategy
 408 ········-·low_complexity
 409 ········-·low_disruption
 410 ········-·CCE-80222-3
 411 ········-·NIST-800-53-AC-6
 412 ········-·NIST-800-171-3.1.12
 413 ········-·DISA-STIG-RHEL-07-040450
 414 ····
396 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"415 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"
397 ······lineinfile:416 ······lineinfile:
398 ········create:·yes417 ········create:·yes
399 ········dest:·/etc/ssh/sshd_config418 ········dest:·/etc/ssh/sshd_config
400 ········regexp:·^IgnoreUserKnownHosts419 ········regexp:·^IgnoreUserKnownHosts
401 ········line:·IgnoreUserKnownHosts·yes420 ········line:·IgnoreUserKnownHosts·yes
402 ········validate:·sshd·-t·-f·%s421 ········validate:·sshd·-t·-f·%s
Offset 452, 32 lines modifiedOffset 471, 14 lines modified
452 ········-·NIST-800-53-AC-2(5)471 ········-·NIST-800-53-AC-2(5)
453 ········-·NIST-800-53-SA-8472 ········-·NIST-800-53-SA-8
454 ········-·NIST-800-53-AC-12473 ········-·NIST-800-53-AC-12
455 ········-·NIST-800-171-3.1.11474 ········-·NIST-800-171-3.1.11
456 ········-·CJIS-5.5.6475 ········-·CJIS-5.5.6
457 ········-·DISA-STIG-RHEL-07-040340476 ········-·DISA-STIG-RHEL-07-040340
458 ····477 ····
459 ····-·name:·Disable·SSH·Support·for·Rhosts·RSA·Authentication 
460 ······lineinfile: 
461 ········create:·yes 
462 ········dest:·/etc/ssh/sshd_config 
463 ········regexp:·^RhostsRSAAuthentication 
464 ········line:·RhostsRSAAuthentication·no 
465 ········validate:·sshd·-t·-f·%s 
466 ······tags: 
467 ········-·sshd_disable_rhosts_rsa 
468 ········-·medium_severity 
469 ········-·restrict_strategy 
470 ········-·low_complexity 
471 ········-·low_disruption 
472 ········-·CCE-80373-4 
473 ········-·NIST-800-53-CM-6(a) 
474 ········-·NIST-800-171-3.1.12 
475 ········-·DISA-STIG-RHEL-07-040330 
476 ···· 
477 ····-·name:·Enable·SSH·Warning·Banner478 ····-·name:·Enable·SSH·Warning·Banner
478 ······lineinfile:479 ······lineinfile:
479 ········create:·yes480 ········create:·yes
480 ········dest:·/etc/ssh/sshd_config481 ········dest:·/etc/ssh/sshd_config
481 ········regexp:·^Banner482 ········regexp:·^Banner
482 ········line:·Banner·/etc/issue483 ········line:·Banner·/etc/issue
483 ········validate:·sshd·-t·-f·%s484 ········validate:·sshd·-t·-f·%s
Offset 516, 33 lines modifiedOffset 517, 14 lines modified
516 ········-·NIST-800-53-IA-7517 ········-·NIST-800-53-IA-7
517 ········-·NIST-800-53-SC-13518 ········-·NIST-800-53-SC-13
Max diff block lines reached; 98846/102348 bytes (96.58%) of diff not shown.
177 KB
./usr/share/scap-security-guide/ansible/ssg-centos7-role-nist-800-171-cui.yml
Ordering differences only
    
Offset 50, 93 lines modifiedOffset 50, 93 lines modified
50 ··········50 ··········
51 ···vars:51 ···vars:
52 ······sshd_idle_timeout_value:·60052 ······sshd_idle_timeout_value:·600
53 ······sshd_listening_port:·2253 ······sshd_listening_port:·22
54 ······inactivity_timeout_value:·60054 ······inactivity_timeout_value:·600
55 ······rsyslog_remote_loghost_address:·logcollector55 ······rsyslog_remote_loghost_address:·logcollector
56 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·056 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0
57 ······sysctl_net_ipv6_conf_all_forwarding_value:·0 
58 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·057 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0
 58 ······sysctl_net_ipv6_conf_all_forwarding_value:·0
59 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·059 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0
60 ······sysctl_net_ipv6_conf_default_accept_ra_value:·060 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
61 ······sysctl_net_ipv6_conf_all_accept_ra_value:·061 ······sysctl_net_ipv6_conf_all_accept_ra_value:·0
62 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·062 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
63 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·063 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
64 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·164 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
65 ······sysctl_net_ipv4_conf_default_log_martians_value:·165 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
66 ······sysctl_net_ipv4_conf_default_rp_filter_value:·166 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
67 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·067 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
68 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·068 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
69 ······sysctl_net_ipv4_tcp_syncookies_value:·169 ······sysctl_net_ipv4_tcp_syncookies_value:·1
70 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·070 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
71 ······sysctl_net_ipv4_conf_all_log_martians_value:·171 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
72 ······sysctl_net_ipv4_conf_all_rp_filter_value:·172 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
73 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·173 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
74 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·074 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
75 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·075 ······sysctl_net_ipv4_conf_default_log_martians_value:·1
76 ······var_ssh_sysadm_login:·false76 ······var_ssh_sysadm_login:·false
 77 ······var_login_console_enabled:·true
77 ······var_auditadm_exec_content:·true78 ······var_auditadm_exec_content:·true
78 ······var_selinuxuser_execstack:·true79 ······var_selinuxuser_execstack:·true
79 ······var_mount_anyfile:·true80 ······var_mount_anyfile:·true
80 ······var_daemons_use_tcp_wrapper:·false81 ······var_cron_system_cronjob_use_shares:·false
81 ······var_cron_can_relabel:·false82 ······var_cron_can_relabel:·false
 83 ······var_guest_exec_content:·true
 84 ······var_secure_mode:·false
82 ······var_user_exec_content:·true85 ······var_user_exec_content:·true
83 ······var_deny_ptrace:·false86 ······var_deny_ptrace:·false
84 ······var_guest_exec_content:·true 
85 ······var_xserver_object_manager:·false87 ······var_xserver_object_manager:·false
86 ······var_xdm_sysadm_login:·false88 ······var_xdm_sysadm_login:·false
 89 ······var_sysadm_exec_content:·true
87 ······var_selinuxuser_mysql_connect_enabled:·false90 ······var_selinuxuser_mysql_connect_enabled:·false
88 ······var_xguest_mount_media:·true91 ······var_selinuxuser_udp_server:·false
89 ······var_secure_mode:·false 
90 ······var_ssh_keysign:·false92 ······var_ssh_keysign:·false
91 ······var_staff_exec_content:·true93 ······var_staff_exec_content:·true
 94 ······var_gpg_web_anon_write:·false
92 ······var_xserver_execmem:·false95 ······var_xserver_execmem:·false
93 ······var_secure_mode_insmod:·false96 ······var_cron_userdomain_transition:·true
 97 ······var_xguest_mount_media:·true
94 ······var_selinuxuser_rw_noexattrfile:·true98 ······var_selinuxuser_rw_noexattrfile:·true
95 ······var_deny_execmem:·false99 ······var_deny_execmem:·false
96 ······var_ssh_chroot_rw_homedirs:·false100 ······var_ssh_chroot_rw_homedirs:·false
97 ······var_logging_syslogd_can_sendmail:·false 
98 ······var_abrt_anon_write:·false101 ······var_abrt_anon_write:·false
99 ······var_cron_userdomain_transition:·true102 ······var_kerberos_enabled:·true
100 ······var_logging_syslogd_use_tty:·true103 ······var_logging_syslogd_use_tty:·true
101 ······var_login_console_enabled:·true 
102 ······var_abrt_handle_event:·false104 ······var_abrt_handle_event:·false
 105 ······var_mock_enable_homedirs:·false
 106 ······var_secure_mode_insmod:·false
103 ······var_unconfined_login:·true107 ······var_unconfined_login:·true
 108 ······var_logging_syslogd_can_sendmail:·false
104 ······var_selinuxuser_postgresql_connect_enabled:·false109 ······var_selinuxuser_postgresql_connect_enabled:·false
 110 ······var_daemons_use_tcp_wrapper:·false
105 ······var_abrt_upload_watch_anon_write:·true111 ······var_abrt_upload_watch_anon_write:·true
106 ······var_daemons_use_tty:·false112 ······var_daemons_use_tty:·false
107 ······var_selinuxuser_tcp_server:·false113 ······var_selinuxuser_tcp_server:·false
108 ······var_selinuxuser_direct_dri_enabled:·true114 ······var_selinuxuser_direct_dri_enabled:·true
109 ······var_xdm_bind_vnc_tcp_port:·false115 ······var_xdm_bind_vnc_tcp_port:·false
110 ······var_xserver_clients_write_xshm:·false116 ······var_xserver_clients_write_xshm:·false
111 ······var_use_ecryptfs_home_dirs:·false117 ······var_use_ecryptfs_home_dirs:·false
112 ······var_mock_enable_homedirs:·false 
113 ······var_xguest_exec_content:·true118 ······var_xguest_exec_content:·true
 119 ······var_xdm_write_home:·false
 120 ······var_logadm_exec_content:·true
114 ······var_domain_fd_use:·true121 ······var_domain_fd_use:·true
115 ······var_selinuxuser_udp_server:·false 
116 ······var_mmap_low_allowed:·false122 ······var_mmap_low_allowed:·false
117 ······var_selinuxuser_share_music:·false123 ······var_selinuxuser_share_music:·false
118 ······var_selinuxuser_execmod:·true124 ······var_selinuxuser_execmod:·true
119 ······var_cron_system_cronjob_use_shares:·false 
120 ······var_logadm_exec_content:·true 
121 ······var_xguest_connect_network:·true125 ······var_xguest_connect_network:·true
122 ······var_xdm_write_home:·false 
123 ······var_sysadm_exec_content:·true 
124 ······var_xguest_use_bluetooth:·true126 ······var_xguest_use_bluetooth:·true
125 ······var_kerberos_enabled:·true127 ······var_selinuxuser_execheap:·false
126 ······var_secure_mode_policyload:·false 
127 ······var_daemons_dump_core:·false128 ······var_daemons_dump_core:·false
128 ······var_xdm_exec_bootloader:·false129 ······var_xdm_exec_bootloader:·false
129 ······var_gpg_web_anon_write:·false 
130 ······var_fips_mode:·true130 ······var_fips_mode:·true
131 ······var_polyinstantiation_enabled:·false131 ······var_polyinstantiation_enabled:·false
132 ······var_domain_kernel_load_modules:·false132 ······var_domain_kernel_load_modules:·false
133 ······var_selinuxuser_use_ssh_chroot:·false133 ······var_selinuxuser_use_ssh_chroot:·false
134 ······var_selinuxuser_ping:·true134 ······var_selinuxuser_ping:·true
135 ······var_selinuxuser_execheap:·false135 ······var_secure_mode_policyload:·false
136 ······var_secadm_exec_content:·true136 ······var_secadm_exec_content:·true
137 ······var_selinux_policy_name:·targeted137 ······var_selinux_policy_name:·targeted
138 ······var_selinux_state:·enforcing138 ······var_selinux_state:·enforcing
139 ······var_accounts_password_minlen_login_defs:·6139 ······var_accounts_password_minlen_login_defs:·6
140 ······var_accounts_password_warn_age_login_defs:·7140 ······var_accounts_password_warn_age_login_defs:·7
141 ······var_accounts_minimum_age_login_defs:·7141 ······var_accounts_minimum_age_login_defs:·7
142 ······var_accounts_maximum_age_login_defs:·60142 ······var_accounts_maximum_age_login_defs:·60
Offset 156, 22 lines modifiedOffset 156, 22 lines modified
156 ······var_password_pam_difok:·8156 ······var_password_pam_difok:·8
157 ······var_password_pam_ocredit:·-1157 ······var_password_pam_ocredit:·-1
158 ······var_password_pam_lcredit:·-1158 ······var_password_pam_lcredit:·-1
159 ······var_password_pam_ucredit:·-1159 ······var_password_pam_ucredit:·-1
160 ······var_password_pam_retry:·3160 ······var_password_pam_retry:·3
161 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.161 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
162 ······var_accounts_user_umask:·077162 ······var_accounts_user_umask:·077
 163 ······var_accounts_max_concurrent_login_sessions:·10
163 ······var_accounts_fail_delay:·4164 ······var_accounts_fail_delay:·4
164 ······var_accounts_tmout:·600165 ······var_accounts_tmout:·600
165 ······var_accounts_max_concurrent_login_sessions:·10 
166 ······var_auditd_max_log_file:·6166 ······var_auditd_max_log_file:·6
167 ······var_auditd_action_mail_acct:·root167 ······var_auditd_action_mail_acct:·root
168 ······var_auditd_space_left_action:·email 
169 ······var_auditd_admin_space_left_action:·single168 ······var_auditd_admin_space_left_action:·single
170 ······var_auditd_max_log_file_action:·rotate169 ······var_auditd_max_log_file_action:·rotate
 170 ······var_auditd_space_left_action:·email
171 ······var_removable_partition:·/dev/cdrom171 ······var_removable_partition:·/dev/cdrom
172 ······var_removable_partition:·/dev/cdrom172 ······var_removable_partition:·/dev/cdrom
173 ······var_removable_partition:·/dev/cdrom173 ······var_removable_partition:·/dev/cdrom
Max diff block lines reached; 173777/180658 bytes (96.19%) of diff not shown.
177 KB
./usr/share/scap-security-guide/ansible/ssg-centos7-role-ospp.yml
Ordering differences only
    
Offset 61, 93 lines modifiedOffset 61, 93 lines modified
61 ··········61 ··········
62 ···vars:62 ···vars:
63 ······sshd_idle_timeout_value:·60063 ······sshd_idle_timeout_value:·600
64 ······sshd_listening_port:·2264 ······sshd_listening_port:·22
65 ······inactivity_timeout_value:·90065 ······inactivity_timeout_value:·900
66 ······rsyslog_remote_loghost_address:·logcollector66 ······rsyslog_remote_loghost_address:·logcollector
67 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·067 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0
68 ······sysctl_net_ipv6_conf_all_forwarding_value:·0 
69 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·068 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0
 69 ······sysctl_net_ipv6_conf_all_forwarding_value:·0
70 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·070 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0
71 ······sysctl_net_ipv6_conf_default_accept_ra_value:·071 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
72 ······sysctl_net_ipv6_conf_all_accept_ra_value:·072 ······sysctl_net_ipv6_conf_all_accept_ra_value:·0
73 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·073 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
74 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·074 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
75 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·175 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
76 ······sysctl_net_ipv4_conf_default_log_martians_value:·176 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
77 ······sysctl_net_ipv4_conf_default_rp_filter_value:·177 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
78 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·078 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
79 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·079 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
80 ······sysctl_net_ipv4_tcp_syncookies_value:·180 ······sysctl_net_ipv4_tcp_syncookies_value:·1
81 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·081 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
82 ······sysctl_net_ipv4_conf_all_log_martians_value:·182 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
83 ······sysctl_net_ipv4_conf_all_rp_filter_value:·183 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
84 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·184 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
85 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·085 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
86 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·086 ······sysctl_net_ipv4_conf_default_log_martians_value:·1
87 ······var_ssh_sysadm_login:·false87 ······var_ssh_sysadm_login:·false
 88 ······var_login_console_enabled:·true
88 ······var_auditadm_exec_content:·true89 ······var_auditadm_exec_content:·true
89 ······var_selinuxuser_execstack:·true90 ······var_selinuxuser_execstack:·true
90 ······var_mount_anyfile:·true91 ······var_mount_anyfile:·true
91 ······var_daemons_use_tcp_wrapper:·false92 ······var_cron_system_cronjob_use_shares:·false
92 ······var_cron_can_relabel:·false93 ······var_cron_can_relabel:·false
 94 ······var_guest_exec_content:·true
 95 ······var_secure_mode:·false
93 ······var_user_exec_content:·true96 ······var_user_exec_content:·true
94 ······var_deny_ptrace:·false97 ······var_deny_ptrace:·false
95 ······var_guest_exec_content:·true 
96 ······var_xserver_object_manager:·false98 ······var_xserver_object_manager:·false
97 ······var_xdm_sysadm_login:·false99 ······var_xdm_sysadm_login:·false
 100 ······var_sysadm_exec_content:·true
98 ······var_selinuxuser_mysql_connect_enabled:·false101 ······var_selinuxuser_mysql_connect_enabled:·false
99 ······var_xguest_mount_media:·true102 ······var_selinuxuser_udp_server:·false
100 ······var_secure_mode:·false 
101 ······var_ssh_keysign:·false103 ······var_ssh_keysign:·false
102 ······var_staff_exec_content:·true104 ······var_staff_exec_content:·true
 105 ······var_gpg_web_anon_write:·false
103 ······var_xserver_execmem:·false106 ······var_xserver_execmem:·false
104 ······var_secure_mode_insmod:·false107 ······var_cron_userdomain_transition:·true
 108 ······var_xguest_mount_media:·true
105 ······var_selinuxuser_rw_noexattrfile:·true109 ······var_selinuxuser_rw_noexattrfile:·true
106 ······var_deny_execmem:·false110 ······var_deny_execmem:·false
107 ······var_ssh_chroot_rw_homedirs:·false111 ······var_ssh_chroot_rw_homedirs:·false
108 ······var_logging_syslogd_can_sendmail:·false 
109 ······var_abrt_anon_write:·false112 ······var_abrt_anon_write:·false
110 ······var_cron_userdomain_transition:·true113 ······var_kerberos_enabled:·true
111 ······var_logging_syslogd_use_tty:·true114 ······var_logging_syslogd_use_tty:·true
112 ······var_login_console_enabled:·true 
113 ······var_abrt_handle_event:·false115 ······var_abrt_handle_event:·false
 116 ······var_mock_enable_homedirs:·false
 117 ······var_secure_mode_insmod:·false
114 ······var_unconfined_login:·true118 ······var_unconfined_login:·true
 119 ······var_logging_syslogd_can_sendmail:·false
115 ······var_selinuxuser_postgresql_connect_enabled:·false120 ······var_selinuxuser_postgresql_connect_enabled:·false
 121 ······var_daemons_use_tcp_wrapper:·false
116 ······var_abrt_upload_watch_anon_write:·true122 ······var_abrt_upload_watch_anon_write:·true
117 ······var_daemons_use_tty:·false123 ······var_daemons_use_tty:·false
118 ······var_selinuxuser_tcp_server:·false124 ······var_selinuxuser_tcp_server:·false
119 ······var_selinuxuser_direct_dri_enabled:·true125 ······var_selinuxuser_direct_dri_enabled:·true
120 ······var_xdm_bind_vnc_tcp_port:·false126 ······var_xdm_bind_vnc_tcp_port:·false
121 ······var_xserver_clients_write_xshm:·false127 ······var_xserver_clients_write_xshm:·false
122 ······var_use_ecryptfs_home_dirs:·false128 ······var_use_ecryptfs_home_dirs:·false
123 ······var_mock_enable_homedirs:·false 
124 ······var_xguest_exec_content:·true129 ······var_xguest_exec_content:·true
 130 ······var_xdm_write_home:·false
 131 ······var_logadm_exec_content:·true
125 ······var_domain_fd_use:·true132 ······var_domain_fd_use:·true
126 ······var_selinuxuser_udp_server:·false 
127 ······var_mmap_low_allowed:·false133 ······var_mmap_low_allowed:·false
128 ······var_selinuxuser_share_music:·false134 ······var_selinuxuser_share_music:·false
129 ······var_selinuxuser_execmod:·true135 ······var_selinuxuser_execmod:·true
130 ······var_cron_system_cronjob_use_shares:·false 
131 ······var_logadm_exec_content:·true 
132 ······var_xguest_connect_network:·true136 ······var_xguest_connect_network:·true
133 ······var_xdm_write_home:·false 
134 ······var_sysadm_exec_content:·true 
135 ······var_xguest_use_bluetooth:·true137 ······var_xguest_use_bluetooth:·true
136 ······var_kerberos_enabled:·true138 ······var_selinuxuser_execheap:·false
137 ······var_secure_mode_policyload:·false 
138 ······var_daemons_dump_core:·false139 ······var_daemons_dump_core:·false
139 ······var_xdm_exec_bootloader:·false140 ······var_xdm_exec_bootloader:·false
140 ······var_gpg_web_anon_write:·false 
141 ······var_fips_mode:·true141 ······var_fips_mode:·true
142 ······var_polyinstantiation_enabled:·false142 ······var_polyinstantiation_enabled:·false
143 ······var_domain_kernel_load_modules:·false143 ······var_domain_kernel_load_modules:·false
144 ······var_selinuxuser_use_ssh_chroot:·false144 ······var_selinuxuser_use_ssh_chroot:·false
145 ······var_selinuxuser_ping:·true145 ······var_selinuxuser_ping:·true
146 ······var_selinuxuser_execheap:·false146 ······var_secure_mode_policyload:·false
147 ······var_secadm_exec_content:·true147 ······var_secadm_exec_content:·true
148 ······var_selinux_policy_name:·targeted148 ······var_selinux_policy_name:·targeted
149 ······var_selinux_state:·enforcing149 ······var_selinux_state:·enforcing
150 ······var_accounts_password_minlen_login_defs:·6150 ······var_accounts_password_minlen_login_defs:·6
151 ······var_accounts_password_warn_age_login_defs:·7151 ······var_accounts_password_warn_age_login_defs:·7
152 ······var_accounts_minimum_age_login_defs:·7152 ······var_accounts_minimum_age_login_defs:·7
153 ······var_accounts_maximum_age_login_defs:·60153 ······var_accounts_maximum_age_login_defs:·60
Offset 167, 22 lines modifiedOffset 167, 22 lines modified
167 ······var_password_pam_difok:·8167 ······var_password_pam_difok:·8
168 ······var_password_pam_ocredit:·-1168 ······var_password_pam_ocredit:·-1
169 ······var_password_pam_lcredit:·-1169 ······var_password_pam_lcredit:·-1
170 ······var_password_pam_ucredit:·-1170 ······var_password_pam_ucredit:·-1
171 ······var_password_pam_retry:·3171 ······var_password_pam_retry:·3
172 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.172 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
173 ······var_accounts_user_umask:·077173 ······var_accounts_user_umask:·077
 174 ······var_accounts_max_concurrent_login_sessions:·10
174 ······var_accounts_fail_delay:·4175 ······var_accounts_fail_delay:·4
175 ······var_accounts_tmout:·600176 ······var_accounts_tmout:·600
176 ······var_accounts_max_concurrent_login_sessions:·10 
177 ······var_auditd_max_log_file:·6177 ······var_auditd_max_log_file:·6
178 ······var_auditd_action_mail_acct:·root178 ······var_auditd_action_mail_acct:·root
179 ······var_auditd_space_left_action:·email 
180 ······var_auditd_admin_space_left_action:·single179 ······var_auditd_admin_space_left_action:·single
181 ······var_auditd_max_log_file_action:·rotate180 ······var_auditd_max_log_file_action:·rotate
 181 ······var_auditd_space_left_action:·email
182 ······var_removable_partition:·/dev/cdrom182 ······var_removable_partition:·/dev/cdrom
183 ······var_removable_partition:·/dev/cdrom183 ······var_removable_partition:·/dev/cdrom
184 ······var_removable_partition:·/dev/cdrom184 ······var_removable_partition:·/dev/cdrom
Max diff block lines reached; 173778/180659 bytes (96.19%) of diff not shown.
60.8 KB
./usr/share/scap-security-guide/ansible/ssg-centos7-role-pci-dss.yml
Ordering differences only
    
Offset 43, 17 lines modifiedOffset 43, 17 lines modified
43 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000043 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
44 ······var_password_pam_minlen:·744 ······var_password_pam_minlen:·7
45 ······var_password_pam_dcredit:·-145 ······var_password_pam_dcredit:·-1
46 ······var_password_pam_lcredit:·-146 ······var_password_pam_lcredit:·-1
47 ······var_password_pam_ucredit:·-147 ······var_password_pam_ucredit:·-1
48 ······var_auditd_max_log_file:·148 ······var_auditd_max_log_file:·1
49 ······var_auditd_action_mail_acct:·admin49 ······var_auditd_action_mail_acct:·admin
50 ······var_auditd_space_left_action:·suspend 
51 ······var_auditd_admin_space_left_action:·suspend50 ······var_auditd_admin_space_left_action:·suspend
52 ······var_auditd_max_log_file_action:·rotate51 ······var_auditd_max_log_file_action:·rotate
 52 ······var_auditd_space_left_action:·suspend
53 ···tasks:53 ···tasks:
54 ····54 ····
55 ····55 ····
56 ····-·name:·Set·SSH·Idle·Timeout·Interval56 ····-·name:·Set·SSH·Idle·Timeout·Interval
57 ······lineinfile:57 ······lineinfile:
58 ········create:·yes58 ········create:·yes
59 ········dest:·/etc/ssh/sshd_config59 ········dest:·/etc/ssh/sshd_config
Offset 596, 91 lines modifiedOffset 596, 91 lines modified
596 ········-·CCE-80111-8596 ········-·CCE-80111-8
597 ········-·NIST-800-53-AC-11(a)597 ········-·NIST-800-53-AC-11(a)
598 ········-·NIST-800-171-3.1.10598 ········-·NIST-800-171-3.1.10
599 ········-·PCI-DSS-Req-8.1.8599 ········-·PCI-DSS-Req-8.1.8
600 ········-·CJIS-5.5.5600 ········-·CJIS-5.5.5
601 ········-·DISA-STIG-RHEL-07-010100601 ········-·DISA-STIG-RHEL-07-010100
602 ····602 ····
603 ····603 ····-·name:·"Implement·Blank·Screensaver"
604 ···· 
605 ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" 
606 ······ini_file:604 ······ini_file:
607 ········dest:·"/etc/dconf/db/local.d/00-security-settings"605 ········dest:·"/etc/dconf/db/local.d/00-security-settings"
608 ········section:·"org/gnome/desktop/screensaver"606 ········section:·"org/gnome/desktop/screensaver"
609 ········option:·idle-delay607 ········option:·picture-uri
610 ········value:·"{{·inactivity_timeout_value·}}"608 ········value:·string·''
611 ········create:·yes609 ········create:·yes
612 ······tags:610 ······tags:
613 ········-·dconf_gnome_screensaver_idle_delay611 ········-·dconf_gnome_screensaver_mode_blank
614 ········-·medium_severity612 ········-·unknown_severity
615 ········-·unknown_strategy613 ········-·unknown_strategy
616 ········-·low_complexity614 ········-·low_complexity
617 ········-·medium_disruption615 ········-·medium_disruption
618 ········-·CCE-80110-0616 ········-·CCE-80113-4
619 ········-·NIST-800-53-AC-11(a)617 ········-·NIST-800-53-AC-11(b)
620 ········-·NIST-800-171-3.1.10618 ········-·NIST-800-171-3.1.10
621 ········-·PCI-DSS-Req-8.1.8619 ········-·PCI-DSS-Req-8.1.8
622 ········-·CJIS-5.5.5620 ········-·CJIS-5.5.5
623 ········-·DISA-STIG-RHEL-07-010070 
624 ····621 ····
625 ····-·name:·"Prevent·user·modification·of·GNOME·idle-delay"622 ····-·name:·"Prevent·user·modification·of·GNOME·picture-uri"
626 ······lineinfile:623 ······lineinfile:
627 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock624 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock
628 ········regexp:·'^/org/gnome/desktop/screensaver/idle-delay'625 ········regexp:·'^/org/gnome/desktop/screensaver/picture-uri'
629 ········line:·'/org/gnome/desktop/screensaver/idle-delay'626 ········line:·'/org/gnome/desktop/screensaver/picture-uri'
630 ········create:·yes627 ········create:·yes
631 ······tags:628 ······tags:
632 ········-·dconf_gnome_screensaver_idle_delay629 ········-·dconf_gnome_screensaver_mode_blank
633 ········-·medium_severity630 ········-·unknown_severity
634 ········-·unknown_strategy631 ········-·unknown_strategy
635 ········-·low_complexity632 ········-·low_complexity
636 ········-·medium_disruption633 ········-·medium_disruption
637 ········-·CCE-80110-0634 ········-·CCE-80113-4
638 ········-·NIST-800-53-AC-11(a)635 ········-·NIST-800-53-AC-11(b)
639 ········-·NIST-800-171-3.1.10636 ········-·NIST-800-171-3.1.10
640 ········-·PCI-DSS-Req-8.1.8637 ········-·PCI-DSS-Req-8.1.8
641 ········-·CJIS-5.5.5638 ········-·CJIS-5.5.5
642 ········-·DISA-STIG-RHEL-07-010070 
643 ····639 ····
644 ····-·name:·"Implement·Blank·Screensaver"640 ····
 641 ····
 642 ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout"
645 ······ini_file:643 ······ini_file:
646 ········dest:·"/etc/dconf/db/local.d/00-security-settings"644 ········dest:·"/etc/dconf/db/local.d/00-security-settings"
647 ········section:·"org/gnome/desktop/screensaver"645 ········section:·"org/gnome/desktop/screensaver"
648 ········option:·picture-uri646 ········option:·idle-delay
649 ········value:·string·''647 ········value:·"{{·inactivity_timeout_value·}}"
650 ········create:·yes648 ········create:·yes
651 ······tags:649 ······tags:
652 ········-·dconf_gnome_screensaver_mode_blank650 ········-·dconf_gnome_screensaver_idle_delay
653 ········-·unknown_severity651 ········-·medium_severity
654 ········-·unknown_strategy652 ········-·unknown_strategy
655 ········-·low_complexity653 ········-·low_complexity
656 ········-·medium_disruption654 ········-·medium_disruption
657 ········-·CCE-80113-4655 ········-·CCE-80110-0
658 ········-·NIST-800-53-AC-11(b)656 ········-·NIST-800-53-AC-11(a)
659 ········-·NIST-800-171-3.1.10657 ········-·NIST-800-171-3.1.10
660 ········-·PCI-DSS-Req-8.1.8658 ········-·PCI-DSS-Req-8.1.8
661 ········-·CJIS-5.5.5659 ········-·CJIS-5.5.5
 660 ········-·DISA-STIG-RHEL-07-010070
662 ····661 ····
663 ····-·name:·"Prevent·user·modification·of·GNOME·picture-uri"662 ····-·name:·"Prevent·user·modification·of·GNOME·idle-delay"
664 ······lineinfile:663 ······lineinfile:
665 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock664 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock
666 ········regexp:·'^/org/gnome/desktop/screensaver/picture-uri'665 ········regexp:·'^/org/gnome/desktop/screensaver/idle-delay'
667 ········line:·'/org/gnome/desktop/screensaver/picture-uri'666 ········line:·'/org/gnome/desktop/screensaver/idle-delay'
668 ········create:·yes667 ········create:·yes
669 ······tags:668 ······tags:
670 ········-·dconf_gnome_screensaver_mode_blank669 ········-·dconf_gnome_screensaver_idle_delay
671 ········-·unknown_severity670 ········-·medium_severity
672 ········-·unknown_strategy671 ········-·unknown_strategy
673 ········-·low_complexity672 ········-·low_complexity
674 ········-·medium_disruption673 ········-·medium_disruption
675 ········-·CCE-80113-4674 ········-·CCE-80110-0
676 ········-·NIST-800-53-AC-11(b)675 ········-·NIST-800-53-AC-11(a)
677 ········-·NIST-800-171-3.1.10676 ········-·NIST-800-171-3.1.10
678 ········-·PCI-DSS-Req-8.1.8677 ········-·PCI-DSS-Req-8.1.8
679 ········-·CJIS-5.5.5678 ········-·CJIS-5.5.5
 679 ········-·DISA-STIG-RHEL-07-010070
680 ····680 ····
681 ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period"681 ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period"
682 ······ini_file:682 ······ini_file:
683 ········dest:·"/etc/dconf/db/local.d/00-security-settings"683 ········dest:·"/etc/dconf/db/local.d/00-security-settings"
684 ········section:·"org/gnome/desktop/screensaver"684 ········section:·"org/gnome/desktop/screensaver"
685 ········option:·lock-enabled685 ········option:·lock-enabled
686 ········value:·"true"686 ········value:·"true"
Offset 1129, 79 lines modifiedOffset 1129, 79 lines modified
1129 ········-·NIST-800-171-3.3.11129 ········-·NIST-800-171-3.3.1
1130 ········-·PCI-DSS-Req-10.7.a1130 ········-·PCI-DSS-Req-10.7.a
1131 ········-·CJIS-5.4.1.11131 ········-·CJIS-5.4.1.1
1132 ········-·DISA-STIG-RHEL-07-0303501132 ········-·DISA-STIG-RHEL-07-030350
1133 ····1133 ····
1134 ····1134 ····
1135 ····1135 ····
1136 ····-·name:·Configure·auditd·space_left·Action·on·Low·Disk·Space1136 ····-·name:·Configure·auditd·admin_space_left·Action·on·Low·Disk·Space
1137 ······lineinfile:1137 ······lineinfile:
1138 ········dest:·/etc/audit/auditd.conf1138 ········dest:·/etc/audit/auditd.conf
1139 ········line:·"space_left_action·=·{{·var_auditd_space_left_action·}}"1139 ········line:·"admin_space_left_action·=·{{·var_auditd_admin_space_left_action·}}"
1140 ········regexp:·^space_left_action*1140 ········regexp:·"^admin_space_left_action*"
Max diff block lines reached; 56742/62091 bytes (91.39%) of diff not shown.
7.02 KB
./usr/share/scap-security-guide/ansible/ssg-centos7-role-rht-ccp.yml
Ordering differences only
    
Offset 164, 14 lines modifiedOffset 164, 39 lines modified
164 ········-·NIST-800-53-AC-2(5)164 ········-·NIST-800-53-AC-2(5)
165 ········-·NIST-800-53-SA-8165 ········-·NIST-800-53-SA-8
166 ········-·NIST-800-53-AC-12166 ········-·NIST-800-53-AC-12
167 ········-·NIST-800-171-3.1.11167 ········-·NIST-800-171-3.1.11
168 ········-·CJIS-5.5.6168 ········-·CJIS-5.5.6
169 ········-·DISA-STIG-RHEL-07-040340169 ········-·DISA-STIG-RHEL-07-040340
170 ····170 ····
 171 ····
 172 ····
 173 ····-·name:·Set·SSH·Idle·Timeout·Interval
 174 ······lineinfile:
 175 ········create:·yes
 176 ········dest:·/etc/ssh/sshd_config
 177 ········regexp:·^ClientAliveInterval
 178 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"
 179 ········validate:·sshd·-t·-f·%s
 180 ······#notify:·restart·sshd
 181 ······tags:
 182 ········-·sshd_set_idle_timeout
 183 ········-·unknown_severity
 184 ········-·restrict_strategy
 185 ········-·low_complexity
 186 ········-·low_disruption
 187 ········-·CCE-27433-2
 188 ········-·NIST-800-53-AC-2(5)
 189 ········-·NIST-800-53-SA-8(i)
 190 ········-·NIST-800-53-AC-12
 191 ········-·NIST-800-171-3.1.11
 192 ········-·PCI-DSS-Req-8.1.8
 193 ········-·CJIS-5.5.6
 194 ········-·DISA-STIG-RHEL-07-040320
 195 ····
171 ····-·name:·Enable·SSH·Warning·Banner196 ····-·name:·Enable·SSH·Warning·Banner
172 ······lineinfile:197 ······lineinfile:
173 ········create:·yes198 ········create:·yes
174 ········dest:·/etc/ssh/sshd_config199 ········dest:·/etc/ssh/sshd_config
175 ········regexp:·^Banner200 ········regexp:·^Banner
176 ········line:·Banner·/etc/issue201 ········line:·Banner·/etc/issue
177 ········validate:·sshd·-t·-f·%s202 ········validate:·sshd·-t·-f·%s
Offset 187, 33 lines modifiedOffset 212, 14 lines modified
187 ········-·NIST-800-53-AC-8(c)(1)212 ········-·NIST-800-53-AC-8(c)(1)
188 ········-·NIST-800-53-AC-8(c)(2)213 ········-·NIST-800-53-AC-8(c)(2)
189 ········-·NIST-800-53-AC-8(c)(3)214 ········-·NIST-800-53-AC-8(c)(3)
190 ········-·NIST-800-171-3.1.9215 ········-·NIST-800-171-3.1.9
191 ········-·CJIS-5.5.6216 ········-·CJIS-5.5.6
192 ········-·DISA-STIG-RHEL-07-040170217 ········-·DISA-STIG-RHEL-07-040170
193 ····218 ····
194 ····-·name:·Do·Not·Allow·SSH·Environment·Options 
195 ······lineinfile: 
196 ········create:·yes 
197 ········dest:·/etc/ssh/sshd_config 
198 ········regexp:·^PermitUserEnvironment 
199 ········line:·PermitUserEnvironment·no 
200 ········validate:·sshd·-t·-f·%s 
201 ······tags: 
202 ········-·sshd_do_not_permit_user_env 
203 ········-·medium_severity 
204 ········-·restrict_strategy 
205 ········-·low_complexity 
206 ········-·low_disruption 
207 ········-·CCE-27363-1 
208 ········-·NIST-800-53-CM-6(b) 
209 ········-·NIST-800-171-3.1.12 
210 ········-·CJIS-5.5.6 
211 ········-·DISA-STIG-RHEL-07-010460 
212 ···· 
213 ····219 ····
214 ····-·name:·"Allow·Only·SSH·Protocol·2"220 ····-·name:·"Allow·Only·SSH·Protocol·2"
215 ······lineinfile:221 ······lineinfile:
216 ········dest:·/etc/ssh/sshd_config222 ········dest:·/etc/ssh/sshd_config
217 ········regexp:·"^Protocol·[0-9]"223 ········regexp:·"^Protocol·[0-9]"
218 ········line:·"Protocol·2"224 ········line:·"Protocol·2"
219 ········validate:·sshd·-t·-f·%s225 ········validate:·sshd·-t·-f·%s
Offset 248, 38 lines modifiedOffset 254, 32 lines modified
248 ········-·CCE-27377-1254 ········-·CCE-27377-1
249 ········-·NIST-800-53-AC-3255 ········-·NIST-800-53-AC-3
250 ········-·NIST-800-53-CM-6(a)256 ········-·NIST-800-53-CM-6(a)
251 ········-·NIST-800-171-3.1.12257 ········-·NIST-800-171-3.1.12
252 ········-·CJIS-5.5.6258 ········-·CJIS-5.5.6
253 ········-·DISA-STIG-RHEL-07-040350259 ········-·DISA-STIG-RHEL-07-040350
254 ····260 ····
255 ····261 ····-·name:·Do·Not·Allow·SSH·Environment·Options
256 ···· 
257 ····-·name:·Set·SSH·Idle·Timeout·Interval 
258 ······lineinfile:262 ······lineinfile:
259 ········create:·yes263 ········create:·yes
260 ········dest:·/etc/ssh/sshd_config264 ········dest:·/etc/ssh/sshd_config
261 ········regexp:·^ClientAliveInterval265 ········regexp:·^PermitUserEnvironment
262 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"266 ········line:·PermitUserEnvironment·no
263 ········validate:·sshd·-t·-f·%s267 ········validate:·sshd·-t·-f·%s
264 ······#notify:·restart·sshd 
265 ······tags:268 ······tags:
266 ········-·sshd_set_idle_timeout269 ········-·sshd_do_not_permit_user_env
267 ········-·unknown_severity270 ········-·medium_severity
268 ········-·restrict_strategy271 ········-·restrict_strategy
269 ········-·low_complexity272 ········-·low_complexity
270 ········-·low_disruption273 ········-·low_disruption
271 ········-·CCE-27433-2274 ········-·CCE-27363-1
272 ········-·NIST-800-53-AC-2(5)275 ········-·NIST-800-53-CM-6(b)
273 ········-·NIST-800-53-SA-8(i)276 ········-·NIST-800-171-3.1.12
274 ········-·NIST-800-53-AC-12 
275 ········-·NIST-800-171-3.1.11 
276 ········-·PCI-DSS-Req-8.1.8 
277 ········-·CJIS-5.5.6277 ········-·CJIS-5.5.6
278 ········-·DISA-STIG-RHEL-07-040320278 ········-·DISA-STIG-RHEL-07-010460
279 ····279 ····
280 ····-·name:·Use·Only·Approved·Ciphers280 ····-·name:·Use·Only·Approved·Ciphers
281 ······lineinfile:281 ······lineinfile:
282 ········create:·yes282 ········create:·yes
283 ········dest:·/etc/ssh/sshd_config283 ········dest:·/etc/ssh/sshd_config
284 ········regexp:·^Ciphers284 ········regexp:·^Ciphers
285 ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc285 ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Offset 1435, 72 lines modifiedOffset 1435, 72 lines modified
1435 ········-·low_complexity1435 ········-·low_complexity
1436 ········-·low_disruption1436 ········-·low_disruption
1437 ········-·CCE-26887-01437 ········-·CCE-26887-0
1438 ········-·NIST-800-53-AC-61438 ········-·NIST-800-53-AC-6
1439 ········-·PCI-DSS-Req-8.7.c1439 ········-·PCI-DSS-Req-8.7.c
1440 ········-·CJIS-5.5.2.21440 ········-·CJIS-5.5.2.2
1441 ····1441 ····
1442 ····-·name:·"Read·list·libraries·without·root·ownership"1442 ····-·name:·"Read·list·of·world·and·group·writable·system·executables"
1443 ······shell:·"find·-L·/usr/lib·/usr/lib64·/lib·/lib64·\\!·-user·root"1443 ······shell:·"find·/bin·/usr/bin·/usr/local/bin·/sbin·/usr/sbin·/usr/local/sbin·/usr/libexec·-perm·/022·-type·f"
1444 ······register:·libraries_not_owned_by_root1444 ······register:·world_writable_library_files
1445 ······changed_when:·False1445 ······changed_when:·False
1446 ······failed_when:·False1446 ······failed_when:·False
1447 ······check_mode:·no1447 ······check_mode:·no
1448 ······tags:1448 ······tags:
Max diff block lines reached; 2725/7023 bytes (38.80%) of diff not shown.
53.0 KB
./usr/share/scap-security-guide/ansible/ssg-centos7-role-standard.yml
Ordering differences only
    
Offset 832, 1269 lines modifiedOffset 832, 1269 lines modified
832 ········-·CJIS-5.4.1.1832 ········-·CJIS-5.4.1.1
833 ········-·DISA-STIG-RHEL-07-030440833 ········-·DISA-STIG-RHEL-07-030440
834 ····834 ····
835 ····835 ····
836 ····#836 ····#
837 ····#·What·architecture·are·we·on?837 ····#·What·architecture·are·we·on?
838 ····#838 ····#
839 ····-·name:·Set·architecture·for·audit·fsetxattr·tasks839 ····-·name:·Set·architecture·for·audit·chown·tasks
840 ······set_fact:840 ······set_fact:
841 ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}"841 ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}"
842 ····842 ····
843 ····#843 ····#
844 ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d844 ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d
845 ····#845 ····#
846 ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules846 ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules
847 ······find:847 ······find:
848 ········paths:·"/etc/audit/rules.d"848 ········paths:·"/etc/audit/rules.d"
849 ········recurse:·no849 ········recurse:·no
850 ········contains:·"-F·key=perm_mod$"850 ········contains:·"-F·key=perm_mod$"
851 ········patterns:·"*.rules"851 ········patterns:·"*.rules"
852 ······register:·find_fsetxattr852 ······register:·find_chown
853 ····853 ····
854 ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule854 ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule
855 ······set_fact:855 ······set_fact:
856 ········all_files:·856 ········all_files:·
857 ··········-·/etc/audit/rules.d/privileged.rules857 ··········-·/etc/audit/rules.d/privileged.rules
858 ······when:·find_fsetxattr.matched·==·0858 ······when:·find_chown.matched·==·0
859 ····859 ····
860 ····-·name:·Use·matched·file·as·the·recipient·for·the·rule860 ····-·name:·Use·matched·file·as·the·recipient·for·the·rule
861 ······set_fact:861 ······set_fact:
862 ········all_files:862 ········all_files:
863 ··········-·"{{·find_fsetxattr.files·|·map(attribute='path')·|·list·|·first·}}"863 ··········-·"{{·find_chown.files·|·map(attribute='path')·|·list·|·first·}}"
864 ······when:·find_fsetxattr.matched·>·0864 ······when:·find_chown.matched·>·0
865 ····865 ····
866 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·rules.d·when·on·x86866 ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86
867 ······lineinfile:867 ······lineinfile:
868 ········path:·"{{·all_files[0]·}}"868 ········path:·"{{·all_files[0]·}}"
869 ········line:·"-a·always,exit·-F·arch=b32·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"869 ········line:·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
870 ········create:·yes870 ········create:·yes
871 ······tags:871 ······tags:
872 ········-·audit_rules_dac_modification_fsetxattr872 ········-·audit_rules_dac_modification_chown
873 ········-·unknown_severity873 ········-·unknown_severity
874 ········-·restrict_strategy874 ········-·restrict_strategy
875 ········-·low_complexity875 ········-·low_complexity
876 ········-·low_disruption876 ········-·low_disruption
877 ········-·CCE-27389-6877 ········-·CCE-27364-9
878 ········-·NIST-800-53-AC-17(7)878 ········-·NIST-800-53-AC-17(7)
879 ········-·NIST-800-53-AU-1(b)879 ········-·NIST-800-53-AU-1(b)
880 ········-·NIST-800-53-AU-2(a)880 ········-·NIST-800-53-AU-2(a)
881 ········-·NIST-800-53-AU-2(c)881 ········-·NIST-800-53-AU-2(c)
882 ········-·NIST-800-53-AU-2(d)882 ········-·NIST-800-53-AU-2(d)
883 ········-·NIST-800-53-AU-12(a)883 ········-·NIST-800-53-AU-12(a)
884 ········-·NIST-800-53-AU-12(c)884 ········-·NIST-800-53-AU-12(c)
885 ········-·NIST-800-53-IR-5885 ········-·NIST-800-53-IR-5
886 ········-·NIST-800-171-3.1.7886 ········-·NIST-800-171-3.1.7
887 ········-·PCI-DSS-Req-10.5.5887 ········-·PCI-DSS-Req-10.5.5
888 ········-·CJIS-5.4.1.1888 ········-·CJIS-5.4.1.1
889 ········-·DISA-STIG-RHEL-07-030450889 ········-·DISA-STIG-RHEL-07-030370
890 ····890 ····
891 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·rules.d·when·on·x86_64891 ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86_64
892 ······lineinfile:892 ······lineinfile:
893 ········path:·"{{·all_files[0]·}}"893 ········path:·"{{·all_files[0]·}}"
894 ········line:·"-a·always,exit·-F·arch=b64·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"894 ········line:·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
895 ········create:·yes895 ········create:·yes
896 ······when:·audit_arch·==·'b64'896 ······when:·audit_arch·==·'b64'
897 ······tags:897 ······tags:
898 ········-·audit_rules_dac_modification_fsetxattr898 ········-·audit_rules_dac_modification_chown
899 ········-·unknown_severity899 ········-·unknown_severity
900 ········-·restrict_strategy900 ········-·restrict_strategy
901 ········-·low_complexity901 ········-·low_complexity
902 ········-·low_disruption902 ········-·low_disruption
903 ········-·CCE-27389-6903 ········-·CCE-27364-9
904 ········-·NIST-800-53-AC-17(7)904 ········-·NIST-800-53-AC-17(7)
905 ········-·NIST-800-53-AU-1(b)905 ········-·NIST-800-53-AU-1(b)
906 ········-·NIST-800-53-AU-2(a)906 ········-·NIST-800-53-AU-2(a)
907 ········-·NIST-800-53-AU-2(c)907 ········-·NIST-800-53-AU-2(c)
908 ········-·NIST-800-53-AU-2(d)908 ········-·NIST-800-53-AU-2(d)
909 ········-·NIST-800-53-AU-12(a)909 ········-·NIST-800-53-AU-12(a)
910 ········-·NIST-800-53-AU-12(c)910 ········-·NIST-800-53-AU-12(c)
911 ········-·NIST-800-53-IR-5911 ········-·NIST-800-53-IR-5
912 ········-·NIST-800-171-3.1.7912 ········-·NIST-800-171-3.1.7
913 ········-·PCI-DSS-Req-10.5.5913 ········-·PCI-DSS-Req-10.5.5
914 ········-·CJIS-5.4.1.1914 ········-·CJIS-5.4.1.1
915 ········-·DISA-STIG-RHEL-07-030450915 ········-·DISA-STIG-RHEL-07-030370
916 ····#····916 ····#····
917 ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules917 ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules
918 ····#918 ····#
919 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·/etc/audit/audit.rules·when·on·x86919 ····-·name:·Inserts/replaces·the·chown·rule·in·/etc/audit/audit.rules·when·on·x86
920 ······lineinfile:920 ······lineinfile:
921 ········line:·"{{·item·}}"921 ········line:·"{{·item·}}"
922 ········state:·present922 ········state:·present
923 ········dest:·/etc/audit/audit.rules923 ········dest:·/etc/audit/audit.rules
924 ······with_items:924 ······with_items:
925 ········-·"-a·always,exit·-F·arch=b32·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"925 ········-·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
926 ······tags:926 ······tags:
927 ········-·audit_rules_dac_modification_fsetxattr927 ········-·audit_rules_dac_modification_chown
928 ········-·unknown_severity928 ········-·unknown_severity
929 ········-·restrict_strategy929 ········-·restrict_strategy
930 ········-·low_complexity930 ········-·low_complexity
931 ········-·low_disruption931 ········-·low_disruption
932 ········-·CCE-27389-6932 ········-·CCE-27364-9
933 ········-·NIST-800-53-AC-17(7)933 ········-·NIST-800-53-AC-17(7)
934 ········-·NIST-800-53-AU-1(b)934 ········-·NIST-800-53-AU-1(b)
935 ········-·NIST-800-53-AU-2(a)935 ········-·NIST-800-53-AU-2(a)
936 ········-·NIST-800-53-AU-2(c)936 ········-·NIST-800-53-AU-2(c)
937 ········-·NIST-800-53-AU-2(d)937 ········-·NIST-800-53-AU-2(d)
938 ········-·NIST-800-53-AU-12(a)938 ········-·NIST-800-53-AU-12(a)
939 ········-·NIST-800-53-AU-12(c)939 ········-·NIST-800-53-AU-12(c)
940 ········-·NIST-800-53-IR-5940 ········-·NIST-800-53-IR-5
941 ········-·NIST-800-171-3.1.7941 ········-·NIST-800-171-3.1.7
942 ········-·PCI-DSS-Req-10.5.5942 ········-·PCI-DSS-Req-10.5.5
943 ········-·CJIS-5.4.1.1943 ········-·CJIS-5.4.1.1
944 ········-·DISA-STIG-RHEL-07-030450944 ········-·DISA-STIG-RHEL-07-030370
945 ····945 ····
946 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·audit.rules·when·on·x86_64946 ····-·name:·Inserts/replaces·the·chown·rule·in·audit.rules·when·on·x86_64
947 ······lineinfile:947 ······lineinfile:
948 ········line:·"{{·item·}}"948 ········line:·"{{·item·}}"
949 ········state:·present949 ········state:·present
950 ········dest:·/etc/audit/audit.rules950 ········dest:·/etc/audit/audit.rules
951 ········create:·yes951 ········create:·yes
952 ······with_items:952 ······with_items:
953 ········-·"-a·always,exit·-F·arch=b64·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"953 ········-·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
954 ······when:·audit_arch·==·'b64'954 ······when:·audit_arch·==·'b64'
955 ······tags:955 ······tags:
956 ········-·audit_rules_dac_modification_fsetxattr956 ········-·audit_rules_dac_modification_chown
957 ········-·unknown_severity957 ········-·unknown_severity
958 ········-·restrict_strategy958 ········-·restrict_strategy
Max diff block lines reached; 48574/54119 bytes (89.75%) of diff not shown.
111 KB
./usr/share/scap-security-guide/ansible/ssg-centos7-role-stig-rhel7-disa.yml
Ordering differences only
    
Offset 44, 18 lines modifiedOffset 44, 18 lines modified
44 ··········44 ··········
45 ···vars:45 ···vars:
46 ······sshd_idle_timeout_value:·60046 ······sshd_idle_timeout_value:·600
47 ······inactivity_timeout_value:·90047 ······inactivity_timeout_value:·900
48 ······rsyslog_remote_loghost_address:·logcollector48 ······rsyslog_remote_loghost_address:·logcollector
49 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·049 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0
50 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·050 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
51 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 
52 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·151 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
53 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 
54 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·052 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
 53 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
 54 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
55 ······var_selinux_policy_name:·targeted55 ······var_selinux_policy_name:·targeted
56 ······var_selinux_state:·enforcing56 ······var_selinux_state:·enforcing
57 ······var_accounts_minimum_age_login_defs:·157 ······var_accounts_minimum_age_login_defs:·1
58 ······var_accounts_maximum_age_login_defs:·6058 ······var_accounts_maximum_age_login_defs:·60
59 ······var_account_disable_post_pw_expiration:·059 ······var_account_disable_post_pw_expiration:·0
60 ······var_accounts_passwords_pam_faillock_deny:·360 ······var_accounts_passwords_pam_faillock_deny:·3
61 ······var_accounts_passwords_pam_faillock_unlock_time:·never61 ······var_accounts_passwords_pam_faillock_unlock_time:·never
Offset 72, 17 lines modifiedOffset 72, 17 lines modified
72 ······var_password_pam_difok:·872 ······var_password_pam_difok:·8
73 ······var_password_pam_ocredit:·-173 ······var_password_pam_ocredit:·-1
74 ······var_password_pam_lcredit:·-174 ······var_password_pam_lcredit:·-1
75 ······var_password_pam_ucredit:·-175 ······var_password_pam_ucredit:·-1
76 ······var_password_pam_retry:·376 ······var_password_pam_retry:·3
77 ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)77 ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)
78 ······var_accounts_user_umask:·07778 ······var_accounts_user_umask:·077
 79 ······var_accounts_max_concurrent_login_sessions:·10
79 ······var_accounts_fail_delay:·480 ······var_accounts_fail_delay:·4
80 ······var_accounts_tmout:·60081 ······var_accounts_tmout:·600
81 ······var_accounts_max_concurrent_login_sessions:·10 
82 ······var_auditd_action_mail_acct:·root82 ······var_auditd_action_mail_acct:·root
83 ······var_auditd_space_left_action:·email83 ······var_auditd_space_left_action:·email
84 ······var_removable_partition:·/dev/cdrom84 ······var_removable_partition:·/dev/cdrom
85 ···tasks:85 ···tasks:
86 ····-·name:·Ensure·rsh-server·is·removed86 ····-·name:·Ensure·rsh-server·is·removed
87 ······package:87 ······package:
88 ········name="{{item}}"88 ········name="{{item}}"
Offset 250, 14 lines modifiedOffset 250, 33 lines modified
250 ········-·low_disruption250 ········-·low_disruption
251 ········-·CCE-80258-7251 ········-·CCE-80258-7
252 ········-·NIST-800-53-AC-17(8)252 ········-·NIST-800-53-AC-17(8)
253 ········-·NIST-800-53-CM-7253 ········-·NIST-800-53-CM-7
254 ········-·NIST-800-53-CM-6(b)254 ········-·NIST-800-53-CM-6(b)
255 ········-·DISA-STIG-RHEL-07-021300255 ········-·DISA-STIG-RHEL-07-021300
256 ····256 ····
 257 ····-·name:·"Enable·Use·of·Strict·Mode·Checking"
 258 ······lineinfile:
 259 ········create:·yes
 260 ········dest:·/etc/ssh/sshd_config
 261 ········regexp:·(?i)^#?strictmodes
 262 ········line:·StrictModes·yes
 263 ········validate:·sshd·-t·-f·%s
 264 ······#notify:·restart·sshd
 265 ······tags:
 266 ········-·sshd_enable_strictmodes
 267 ········-·medium_severity
 268 ········-·restrict_strategy
 269 ········-·low_complexity
 270 ········-·low_disruption
 271 ········-·CCE-80222-3
 272 ········-·NIST-800-53-AC-6
 273 ········-·NIST-800-171-3.1.12
 274 ········-·DISA-STIG-RHEL-07-040450
 275 ····
257 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"276 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"
258 ······lineinfile:277 ······lineinfile:
259 ········create:·yes278 ········create:·yes
260 ········dest:·/etc/ssh/sshd_config279 ········dest:·/etc/ssh/sshd_config
261 ········regexp:·^IgnoreUserKnownHosts280 ········regexp:·^IgnoreUserKnownHosts
262 ········line:·IgnoreUserKnownHosts·yes281 ········line:·IgnoreUserKnownHosts·yes
263 ········validate:·sshd·-t·-f·%s282 ········validate:·sshd·-t·-f·%s
Offset 313, 31 lines modifiedOffset 332, 38 lines modified
313 ········-·NIST-800-53-AC-2(5)332 ········-·NIST-800-53-AC-2(5)
314 ········-·NIST-800-53-SA-8333 ········-·NIST-800-53-SA-8
315 ········-·NIST-800-53-AC-12334 ········-·NIST-800-53-AC-12
316 ········-·NIST-800-171-3.1.11335 ········-·NIST-800-171-3.1.11
317 ········-·CJIS-5.5.6336 ········-·CJIS-5.5.6
318 ········-·DISA-STIG-RHEL-07-040340337 ········-·DISA-STIG-RHEL-07-040340
319 ····338 ····
320 ····-·name:·Disable·SSH·Support·for·Rhosts·RSA·Authentication339 ····
 340 ····
 341 ····-·name:·Set·SSH·Idle·Timeout·Interval
321 ······lineinfile:342 ······lineinfile:
322 ········create:·yes343 ········create:·yes
323 ········dest:·/etc/ssh/sshd_config344 ········dest:·/etc/ssh/sshd_config
324 ········regexp:·^RhostsRSAAuthentication345 ········regexp:·^ClientAliveInterval
325 ········line:·RhostsRSAAuthentication·no346 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"
326 ········validate:·sshd·-t·-f·%s347 ········validate:·sshd·-t·-f·%s
 348 ······#notify:·restart·sshd
327 ······tags:349 ······tags:
328 ········-·sshd_disable_rhosts_rsa350 ········-·sshd_set_idle_timeout
329 ········-·medium_severity351 ········-·unknown_severity
330 ········-·restrict_strategy352 ········-·restrict_strategy
331 ········-·low_complexity353 ········-·low_complexity
332 ········-·low_disruption354 ········-·low_disruption
333 ········-·CCE-80373-4355 ········-·CCE-27433-2
334 ········-·NIST-800-53-CM-6(a)356 ········-·NIST-800-53-AC-2(5)
335 ········-·NIST-800-171-3.1.12357 ········-·NIST-800-53-SA-8(i)
336 ········-·DISA-STIG-RHEL-07-040330358 ········-·NIST-800-53-AC-12
 359 ········-·NIST-800-171-3.1.11
 360 ········-·PCI-DSS-Req-8.1.8
 361 ········-·CJIS-5.5.6
 362 ········-·DISA-STIG-RHEL-07-040320
337 ····363 ····
338 ····-·name:·Enable·SSH·Warning·Banner364 ····-·name:·Enable·SSH·Warning·Banner
339 ······lineinfile:365 ······lineinfile:
340 ········create:·yes366 ········create:·yes
341 ········dest:·/etc/ssh/sshd_config367 ········dest:·/etc/ssh/sshd_config
342 ········regexp:·^Banner368 ········regexp:·^Banner
343 ········line:·Banner·/etc/issue369 ········line:·Banner·/etc/issue
Offset 377, 33 lines modifiedOffset 403, 14 lines modified
377 ········-·NIST-800-53-IA-7403 ········-·NIST-800-53-IA-7
378 ········-·NIST-800-53-SC-13404 ········-·NIST-800-53-SC-13
379 ········-·NIST-800-171-3.1.13405 ········-·NIST-800-171-3.1.13
380 ········-·NIST-800-171-3.13.11406 ········-·NIST-800-171-3.13.11
381 ········-·NIST-800-171-3.13.8407 ········-·NIST-800-171-3.13.8
382 ········-·DISA-STIG-RHEL-07-040400408 ········-·DISA-STIG-RHEL-07-040400
383 ····409 ····
384 ····-·name:·Do·Not·Allow·SSH·Environment·Options 
385 ······lineinfile: 
386 ········create:·yes 
387 ········dest:·/etc/ssh/sshd_config 
388 ········regexp:·^PermitUserEnvironment 
389 ········line:·PermitUserEnvironment·no 
390 ········validate:·sshd·-t·-f·%s 
Max diff block lines reached; 106151/113585 bytes (93.46%) of diff not shown.
87.3 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-C2S.yml
    
Offset 43, 57 lines modifiedOffset 43, 58 lines modified
43 ··········43 ··········
44 ···vars:44 ···vars:
45 ······sshd_idle_timeout_value:·30045 ······sshd_idle_timeout_value:·300
46 ······rsyslog_remote_loghost_address:·None46 ······rsyslog_remote_loghost_address:·None
47 ······sysctl_net_ipv6_conf_default_accept_ra_value:·047 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
48 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·048 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·049 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
50 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·150 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
51 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·051 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
52 ······sysctl_net_ipv4_conf_default_rp_filter_value:·152 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
53 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·153 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
54 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·154 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
55 ······sysctl_net_ipv4_tcp_syncookies_value:·155 ······sysctl_net_ipv4_tcp_syncookies_value:·1
56 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·056 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
57 ······sysctl_net_ipv4_conf_all_log_martians_value:·057 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
58 ······sysctl_net_ipv4_conf_all_rp_filter_value:·158 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
59 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·159 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
60 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·060 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
61 ······var_selinux_policy_name:·targeted61 ······var_selinux_policy_name:·targeted
62 ······var_selinux_state:·enforcing62 ······var_selinux_state:·enforcing
63 ······var_accounts_minimum_age_login_defs:·1 
64 ······var_accounts_maximum_age_login_defs:·90 
65 ······var_accounts_password_warn_age_login_defs:·763 ······var_accounts_password_warn_age_login_defs:·7
 64 ······var_accounts_maximum_age_login_defs:·90
 65 ······var_accounts_minimum_age_login_defs:·1
66 ······var_account_disable_post_pw_expiration:·3566 ······var_account_disable_post_pw_expiration:·35
67 ······var_password_pam_unix_remember:·067 ······var_password_pam_unix_remember:·0
68 ······var_accounts_passwords_pam_faillock_deny:·368 ······var_accounts_passwords_pam_faillock_deny:·3
69 ······var_accounts_passwords_pam_faillock_unlock_time:·60480069 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
70 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000070 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
 71 ······var_removable_partition:·/dev/cdrom
 72 ······var_removable_partition:·/dev/cdrom
 73 ······var_removable_partition:·/dev/cdrom
71 ······var_auditd_max_log_file:·174 ······var_auditd_max_log_file:·1
72 ······var_auditd_action_mail_acct:·admin75 ······var_auditd_action_mail_acct:·admin
73 ······var_auditd_space_left_action:·suspend 
74 ······var_auditd_admin_space_left_action:·suspend76 ······var_auditd_admin_space_left_action:·suspend
 77 ······var_auditd_space_left_action:·suspend
75 ······var_auditd_max_log_file_action:·ignore78 ······var_auditd_max_log_file_action:·ignore
76 ······var_removable_partition:·/dev/cdrom 
77 ······var_removable_partition:·/dev/cdrom 
78 ······var_removable_partition:·/dev/cdrom 
79 ···tasks:79 ···tasks:
80 ····-·name:·Ensure·samba·is·removed80 ····-·name:·Ensure·vsftpd·is·removed
81 ······package:81 ······package:
82 ········name="{{item}}"82 ········name="{{item}}"
83 ········state=absent83 ········state=absent
84 ······with_items:84 ······with_items:
85 ········-·samba85 ········-·vsftpd
86 ······tags:86 ······tags:
87 ········-·package_samba_removed87 ········-·package_vsftpd_removed
88 ········-·unknown_severity88 ········-·unknown_severity
89 ········-·disable_strategy89 ········-·disable_strategy
90 ········-·low_complexity90 ········-·low_complexity
91 ········-·low_disruption91 ········-·low_disruption
92 ········-·CCE-27102-392 ········-·CCE-26687-4
 93 ········-·NIST-800-53-CM-7
93 ····94 ····
94 ····-·name:·Ensure·httpd·is·removed95 ····-·name:·Ensure·httpd·is·removed
95 ······package:96 ······package:
96 ········name="{{item}}"97 ········name="{{item}}"
97 ········state=absent98 ········state=absent
98 ······with_items:99 ······with_items:
99 ········-·httpd100 ········-·httpd
Offset 102, 29 lines modifiedOffset 103, 43 lines modified
102 ········-·unknown_severity103 ········-·unknown_severity
103 ········-·disable_strategy104 ········-·disable_strategy
104 ········-·low_complexity105 ········-·low_complexity
105 ········-·low_disruption106 ········-·low_disruption
106 ········-·CCE-27133-8107 ········-·CCE-27133-8
107 ········-·NIST-800-53-CM-7108 ········-·NIST-800-53-CM-7
108 ····109 ····
109 ····-·name:·Ensure·dhcp·is·removed110 ····-·name:·Ensure·bind·is·removed
110 ······package:111 ······package:
111 ········name="{{item}}"112 ········name="{{item}}"
112 ········state=absent113 ········state=absent
113 ······with_items:114 ······with_items:
114 ········-·dhcp115 ········-·bind
115 ······tags:116 ······tags:
116 ········-·package_dhcp_removed117 ········-·package_bind_removed
117 ········-·medium_severity118 ········-·unknown_severity
118 ········-·disable_strategy119 ········-·disable_strategy
119 ········-·low_complexity120 ········-·low_complexity
120 ········-·low_disruption121 ········-·low_disruption
121 ········-·CCE-27120-5122 ········-·CCE-27030-6
122 ········-·NIST-800-53-CM-7123 ········-·NIST-800-53-CM-7
123 ····124 ····
 125 ····-·name:·Ensure·samba·is·removed
 126 ······package:
 127 ········name="{{item}}"
 128 ········state=absent
 129 ······with_items:
 130 ········-·samba
 131 ······tags:
 132 ········-·package_samba_removed
 133 ········-·unknown_severity
 134 ········-·disable_strategy
 135 ········-·low_complexity
 136 ········-·low_disruption
 137 ········-·CCE-27102-3
 138 ····
124 ····-·name:·Enable·service·ntpd139 ····-·name:·Enable·service·ntpd
125 ······service:140 ······service:
126 ········name="{{item}}"141 ········name="{{item}}"
127 ········enabled="yes"142 ········enabled="yes"
128 ········state="started"143 ········state="started"
129 ······with_items:144 ······with_items:
130 ········-·ntpd145 ········-·ntpd
Offset 135, 45 lines modifiedOffset 150, 94 lines modified
135 ········-·low_complexity150 ········-·low_complexity
136 ········-·low_disruption151 ········-·low_disruption
137 ········-·CCE-27093-4152 ········-·CCE-27093-4
138 ········-·NIST-800-53-AU-8(1)153 ········-·NIST-800-53-AU-8(1)
139 ········-·PCI-DSS-Req-10.4154 ········-·PCI-DSS-Req-10.4
140 ········-·DISA-STIG-RHEL-06-000247155 ········-·DISA-STIG-RHEL-06-000247
141 ····156 ····
142 ····-·name:·Disable·service·cups157 ····-·name:·Ensure·openldap-servers·is·removed
 158 ······package:
 159 ········name="{{item}}"
 160 ········state=absent
 161 ······with_items:
 162 ········-·openldap-servers
 163 ······tags:
 164 ········-·package_openldap-servers_removed
 165 ········-·unknown_severity
 166 ········-·disable_strategy
 167 ········-·low_complexity
Max diff block lines reached; 83773/89246 bytes (93.87%) of diff not shown.
177 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-CS2.yml
    
Offset 33, 88 lines modifiedOffset 33, 75 lines modified
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······rsyslog_remote_loghost_address:·None36 ······rsyslog_remote_loghost_address:·None
37 ······sysctl_net_ipv6_conf_default_accept_ra_value:·037 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
38 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·038 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
39 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·039 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
40 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·140 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
41 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·041 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
42 ······sysctl_net_ipv4_conf_default_rp_filter_value:·142 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
43 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·143 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
44 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·144 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
45 ······sysctl_net_ipv4_tcp_syncookies_value:·145 ······sysctl_net_ipv4_tcp_syncookies_value:·1
46 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·046 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
47 ······sysctl_net_ipv4_conf_all_log_martians_value:·047 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
48 ······sysctl_net_ipv4_conf_all_rp_filter_value:·148 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
49 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·149 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
50 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·050 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
51 ······var_selinux_policy_name:·targeted51 ······var_selinux_policy_name:·targeted
52 ······var_selinux_state:·enforcing52 ······var_selinux_state:·enforcing
53 ······var_accounts_password_minlen_login_defs:·1453 ······var_accounts_password_minlen_login_defs:·14
54 ······var_accounts_minimum_age_login_defs:·1 
55 ······var_accounts_maximum_age_login_defs:·180 
56 ······var_accounts_password_warn_age_login_defs:·754 ······var_accounts_password_warn_age_login_defs:·7
 55 ······var_accounts_maximum_age_login_defs:·180
 56 ······var_accounts_minimum_age_login_defs:·1
57 ······var_account_disable_post_pw_expiration:·3557 ······var_account_disable_post_pw_expiration:·35
58 ······var_password_pam_unix_remember:·1058 ······var_password_pam_unix_remember:·10
59 ······var_accounts_passwords_pam_faillock_deny:·359 ······var_accounts_passwords_pam_faillock_deny:·3
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_user_umask:·07763 ······var_accounts_user_umask:·077
64 ······var_accounts_max_concurrent_login_sessions:·364 ······var_accounts_max_concurrent_login_sessions:·3
65 ······var_removable_partition:·/dev/cdrom65 ······var_removable_partition:·/dev/cdrom
66 ······var_removable_partition:·/dev/cdrom66 ······var_removable_partition:·/dev/cdrom
67 ······var_removable_partition:·/dev/cdrom67 ······var_removable_partition:·/dev/cdrom
68 ···tasks:68 ···tasks:
69 ····-·name:·Disable·service·smb69 ····-·name:·Disable·service·vsftpd
70 ······service:70 ······service:
71 ········name="{{item}}"71 ········name="{{item}}"
72 ········enabled="no"72 ········enabled="no"
73 ········state="stopped"73 ········state="stopped"
74 ······register:·service_result74 ······register:·service_result
75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
76 ······with_items:76 ······with_items:
77 ········-·smb77 ········-·vsftpd
78 ······tags:78 ······tags:
79 ········-·service_smb_disabled79 ········-·service_vsftpd_disabled
80 ········-·unknown_severity80 ········-·unknown_severity
81 ········-·disable_strategy81 ········-·disable_strategy
82 ········-·low_complexity82 ········-·low_complexity
83 ········-·low_disruption83 ········-·low_disruption
84 ········-·CCE-27143-784 ········-·CCE-26948-0
85 ····85 ········-·NIST-800-53-CM-7
86 ····-·name:·Check·if·/etc/samba/smb.conf·exists 
87 ······stat: 
88 ········path:·/etc/samba/smb.conf 
89 ······register:·st_smb 
90 ······tags: 
91 ········-·require_smb_client_signing 
92 ········-·unknown_severity 
93 ········-·configure_strategy 
94 ········-·low_complexity 
95 ········-·medium_disruption 
96 ········-·CCE-26328-5 
97 ········-·DISA-STIG-RHEL-06-000272 
98 ····86 ····
99 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient87 ····-·name:·Ensure·vsftpd·is·removed
100 ······lineinfile:88 ······package:
101 ········dest:·/etc/samba/smb.conf89 ········name="{{item}}"
102 ········line:·client·signing·=·mandatory90 ········state=absent
103 ········state:·present91 ······with_items:
104 ········insertafter:·[global]92 ········-·vsftpd
105 ······when:·st_smb.stat.exists 
106 ······tags:93 ······tags:
107 ········-·require_smb_client_signing94 ········-·package_vsftpd_removed
108 ········-·unknown_severity95 ········-·unknown_severity
109 ········-·configure_strategy96 ········-·disable_strategy
110 ········-·low_complexity97 ········-·low_complexity
111 ········-·medium_disruption98 ········-·low_disruption
112 ········-·CCE-26328-599 ········-·CCE-26687-4
113 ········-·DISA-STIG-RHEL-06-000272100 ········-·NIST-800-53-CM-7
114 ····101 ····
115 ····-·name:·Ensure·httpd·is·removed102 ····-·name:·Ensure·httpd·is·removed
116 ······package:103 ······package:
117 ········name="{{item}}"104 ········name="{{item}}"
118 ········state=absent105 ········state=absent
119 ······with_items:106 ······with_items:
120 ········-·httpd107 ········-·httpd
Offset 153, 45 lines modifiedOffset 140, 92 lines modified
153 ········-·unknown_severity140 ········-·unknown_severity
154 ········-·configure_strategy141 ········-·configure_strategy
155 ········-·low_complexity142 ········-·low_complexity
156 ········-·low_disruption143 ········-·low_disruption
157 ········-·CCE-27316-9144 ········-·CCE-27316-9
158 ········-·NIST-800-53-CM-7145 ········-·NIST-800-53-CM-7
159 ····146 ····
160 ····-·name:·Ensure·sendmail·is·removed147 ····-·name:·Disable·service·named
 148 ······service:
 149 ········name="{{item}}"
 150 ········enabled="no"
 151 ········state="stopped"
 152 ······register:·service_result
 153 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 154 ······with_items:
 155 ········-·named
 156 ······tags:
 157 ········-·service_named_disabled
 158 ········-·unknown_severity
 159 ········-·disable_strategy
 160 ········-·low_complexity
 161 ········-·low_disruption
 162 ········-·CCE-26873-0
 163 ········-·NIST-800-53-CM-7
 164 ····
 165 ····-·name:·Ensure·bind·is·removed
161 ······package:166 ······package:
162 ········name="{{item}}"167 ········name="{{item}}"
163 ········state=absent168 ········state=absent
164 ······with_items:169 ······with_items:
165 ········-·sendmail170 ········-·bind
166 ······tags:171 ······tags:
167 ········-·package_sendmail_removed172 ········-·package_bind_removed
168 ········-·medium_severity173 ········-·unknown_severity
169 ········-·disable_strategy174 ········-·disable_strategy
170 ········-·low_complexity175 ········-·low_complexity
Max diff block lines reached; 175955/181073 bytes (97.17%) of diff not shown.
129 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-CSCF-RHEL6-MLS.yml
    
Offset 35, 39 lines modifiedOffset 35, 72 lines modified
35 ·······assert:35 ·······assert:
36 ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')"36 ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')"
37 ·········msg:·>37 ·········msg:·>
38 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."38 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
39 ··········39 ··········
40 ···vars:40 ···vars:
41 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·041 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
42 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·142 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
43 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_rp_filter_value:·144 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
45 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·145 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
46 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·146 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
47 ······sysctl_net_ipv4_tcp_syncookies_value:·147 ······sysctl_net_ipv4_tcp_syncookies_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·048 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_all_log_martians_value:·049 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
50 ······sysctl_net_ipv4_conf_all_rp_filter_value:·150 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
51 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·151 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
52 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·052 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
53 ······var_selinux_policy_name:·mls53 ······var_selinux_policy_name:·mls
54 ······var_selinux_state:·enforcing54 ······var_selinux_state:·enforcing
55 ······var_accounts_password_minlen_login_defs:·1255 ······var_accounts_password_minlen_login_defs:·12
56 ······var_accounts_maximum_age_login_defs:·180 
57 ······var_accounts_password_warn_age_login_defs:·756 ······var_accounts_password_warn_age_login_defs:·7
 57 ······var_accounts_maximum_age_login_defs:·180
58 ······var_account_disable_post_pw_expiration:·3558 ······var_account_disable_post_pw_expiration:·35
59 ······var_password_pam_unix_remember:·059 ······var_password_pam_unix_remember:·0
60 ······var_password_pam_retry:·360 ······var_password_pam_retry:·3
61 ······var_auditd_max_log_file:·161 ······var_auditd_max_log_file:·1
62 ······var_auditd_action_mail_acct:·admin62 ······var_auditd_action_mail_acct:·admin
63 ······var_auditd_space_left_action:·suspend 
64 ······var_auditd_admin_space_left_action:·suspend63 ······var_auditd_admin_space_left_action:·suspend
 64 ······var_auditd_space_left_action:·suspend
65 ······var_auditd_max_log_file_action:·keep_logs65 ······var_auditd_max_log_file_action:·keep_logs
66 ···tasks:66 ···tasks:
 67 ····-·name:·Disable·service·vsftpd
 68 ······service:
 69 ········name="{{item}}"
 70 ········enabled="no"
 71 ········state="stopped"
 72 ······register:·service_result
 73 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 74 ······with_items:
 75 ········-·vsftpd
 76 ······tags:
 77 ········-·service_vsftpd_disabled
 78 ········-·unknown_severity
 79 ········-·disable_strategy
 80 ········-·low_complexity
 81 ········-·low_disruption
 82 ········-·CCE-26948-0
 83 ········-·NIST-800-53-CM-7
 84 ····
 85 ····-·name:·Ensure·vsftpd·is·removed
 86 ······package:
 87 ········name="{{item}}"
 88 ········state=absent
 89 ······with_items:
 90 ········-·vsftpd
 91 ······tags:
 92 ········-·package_vsftpd_removed
 93 ········-·unknown_severity
 94 ········-·disable_strategy
 95 ········-·low_complexity
 96 ········-·low_disruption
 97 ········-·CCE-26687-4
 98 ········-·NIST-800-53-CM-7
 99 ····
67 ····100 ····
68 ····-·name:·Find·/etc/httpd/conf/*·file(s)101 ····-·name:·Find·/etc/httpd/conf/*·file(s)
69 ······find:102 ······find:
70 ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}"103 ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}"
71 ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}"104 ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}"
72 ······register:·files_found105 ······register:·files_found
73 ······tags:106 ······tags:
Offset 90, 98 lines modifiedOffset 123, 116 lines modified
90 ········-·unknown_severity123 ········-·unknown_severity
91 ········-·configure_strategy124 ········-·configure_strategy
92 ········-·low_complexity125 ········-·low_complexity
93 ········-·low_disruption126 ········-·low_disruption
94 ········-·CCE-27316-9127 ········-·CCE-27316-9
95 ········-·NIST-800-53-CM-7128 ········-·NIST-800-53-CM-7
96 ····129 ····
97 ····-·name:·Ensure·sendmail·is·removed130 ····-·name:·Disable·service·named
98 ······package:131 ······service:
99 ········name="{{item}}"132 ········name="{{item}}"
100 ········state=absent133 ········enabled="no"
 134 ········state="stopped"
 135 ······register:·service_result
 136 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
101 ······with_items:137 ······with_items:
102 ········-·sendmail138 ········-·named
103 ······tags:139 ······tags:
104 ········-·package_sendmail_removed140 ········-·service_named_disabled
105 ········-·medium_severity141 ········-·unknown_severity
106 ········-·disable_strategy142 ········-·disable_strategy
107 ········-·low_complexity143 ········-·low_complexity
108 ········-·low_disruption144 ········-·low_disruption
109 ········-·CCE-27515-6145 ········-·CCE-26873-0
110 ········-·NIST-800-53-CM-7146 ········-·NIST-800-53-CM-7
111 ········-·DISA-STIG-RHEL-06-000288 
112 ····147 ····
113 ····-·name:·Ensure·dhcp·is·removed148 ····-·name:·Ensure·bind·is·removed
114 ······package:149 ······package:
115 ········name="{{item}}"150 ········name="{{item}}"
116 ········state=absent151 ········state=absent
117 ······with_items:152 ······with_items:
118 ········-·dhcp153 ········-·bind
119 ······tags:154 ······tags:
120 ········-·package_dhcp_removed155 ········-·package_bind_removed
121 ········-·medium_severity156 ········-·unknown_severity
122 ········-·disable_strategy157 ········-·disable_strategy
123 ········-·low_complexity158 ········-·low_complexity
124 ········-·low_disruption159 ········-·low_disruption
125 ········-·CCE-27120-5160 ········-·CCE-27030-6
126 ········-·NIST-800-53-CM-7161 ········-·NIST-800-53-CM-7
127 ····162 ····
128 ····-·name:·Disable·service·dhcpd163 ····-·name:·Enable·service·ntpd
129 ······service:164 ······service:
130 ········name="{{item}}"165 ········name="{{item}}"
131 ········enabled="no"166 ········enabled="yes"
132 ········state="stopped"167 ········state="started"
133 ······register:·service_result 
134 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" 
135 ······with_items:168 ······with_items:
136 ········-·dhcpd169 ········-·ntpd
137 ······tags:170 ······tags:
138 ········-·service_dhcpd_disabled171 ········-·service_ntpd_enabled
Max diff block lines reached; 127041/131888 bytes (96.32%) of diff not shown.
129 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-desktop.yml
    
Offset 34, 87 lines modifiedOffset 34, 74 lines modified
34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
35 ··········35 ··········
36 ···vars:36 ···vars:
37 ······sshd_idle_timeout_value:·30037 ······sshd_idle_timeout_value:·300
38 ······rsyslog_remote_loghost_address:·None38 ······rsyslog_remote_loghost_address:·None
39 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·039 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
40 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·040 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
41 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·141 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
42 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·042 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
43 ······sysctl_net_ipv4_conf_default_rp_filter_value:·143 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
44 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·044 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
45 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
46 ······sysctl_net_ipv4_tcp_syncookies_value:·146 ······sysctl_net_ipv4_tcp_syncookies_value:·1
47 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·047 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
48 ······sysctl_net_ipv4_conf_all_log_martians_value:·148 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
49 ······sysctl_net_ipv4_conf_all_rp_filter_value:·149 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
50 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·150 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
51 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·051 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
52 ······var_selinux_policy_name:·targeted52 ······var_selinux_policy_name:·targeted
53 ······var_selinux_state:·enforcing53 ······var_selinux_state:·enforcing
54 ······var_accounts_password_minlen_login_defs:·1554 ······var_accounts_password_minlen_login_defs:·15
55 ······var_accounts_minimum_age_login_defs:·7 
56 ······var_accounts_maximum_age_login_defs:·90 
57 ······var_accounts_password_warn_age_login_defs:·755 ······var_accounts_password_warn_age_login_defs:·7
 56 ······var_accounts_maximum_age_login_defs:·90
 57 ······var_accounts_minimum_age_login_defs:·7
58 ······var_password_pam_unix_remember:·558 ······var_password_pam_unix_remember:·5
59 ······var_accounts_passwords_pam_faillock_deny:·359 ······var_accounts_passwords_pam_faillock_deny:·3
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_tmout:·60063 ······var_accounts_tmout:·600
 64 ······var_removable_partition:·/dev/cdrom
64 ······var_auditd_max_log_file:·665 ······var_auditd_max_log_file:·6
65 ······var_auditd_admin_space_left_action:·single66 ······var_auditd_admin_space_left_action:·single
66 ······var_auditd_max_log_file_action:·rotate67 ······var_auditd_max_log_file_action:·rotate
67 ······var_removable_partition:·/dev/cdrom 
68 ···tasks:68 ···tasks:
69 ····-·name:·Disable·service·smb69 ····-·name:·Disable·service·vsftpd
70 ······service:70 ······service:
71 ········name="{{item}}"71 ········name="{{item}}"
72 ········enabled="no"72 ········enabled="no"
73 ········state="stopped"73 ········state="stopped"
74 ······register:·service_result74 ······register:·service_result
75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
76 ······with_items:76 ······with_items:
77 ········-·smb77 ········-·vsftpd
78 ······tags:78 ······tags:
79 ········-·service_smb_disabled79 ········-·service_vsftpd_disabled
80 ········-·unknown_severity80 ········-·unknown_severity
81 ········-·disable_strategy81 ········-·disable_strategy
82 ········-·low_complexity82 ········-·low_complexity
83 ········-·low_disruption83 ········-·low_disruption
84 ········-·CCE-27143-784 ········-·CCE-26948-0
85 ····85 ········-·NIST-800-53-CM-7
86 ····-·name:·Check·if·/etc/samba/smb.conf·exists 
87 ······stat: 
88 ········path:·/etc/samba/smb.conf 
89 ······register:·st_smb 
90 ······tags: 
91 ········-·require_smb_client_signing 
92 ········-·unknown_severity 
93 ········-·configure_strategy 
94 ········-·low_complexity 
95 ········-·medium_disruption 
96 ········-·CCE-26328-5 
97 ········-·DISA-STIG-RHEL-06-000272 
98 ····86 ····
99 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient87 ····-·name:·Ensure·vsftpd·is·removed
100 ······lineinfile:88 ······package:
101 ········dest:·/etc/samba/smb.conf89 ········name="{{item}}"
102 ········line:·client·signing·=·mandatory90 ········state=absent
103 ········state:·present91 ······with_items:
104 ········insertafter:·[global]92 ········-·vsftpd
105 ······when:·st_smb.stat.exists 
106 ······tags:93 ······tags:
107 ········-·require_smb_client_signing94 ········-·package_vsftpd_removed
108 ········-·unknown_severity95 ········-·unknown_severity
109 ········-·configure_strategy96 ········-·disable_strategy
110 ········-·low_complexity97 ········-·low_complexity
111 ········-·medium_disruption98 ········-·low_disruption
112 ········-·CCE-26328-599 ········-·CCE-26687-4
113 ········-·DISA-STIG-RHEL-06-000272100 ········-·NIST-800-53-CM-7
114 ····101 ····
115 ····-·name:·Disable·service·httpd102 ····-·name:·Disable·service·httpd
116 ······service:103 ······service:
117 ········name="{{item}}"104 ········name="{{item}}"
118 ········enabled="no"105 ········enabled="no"
119 ········state="stopped"106 ········state="stopped"
120 ······register:·service_result107 ······register:·service_result
Offset 141, 46 lines modifiedOffset 128, 92 lines modified
141 ········-·unknown_severity128 ········-·unknown_severity
142 ········-·disable_strategy129 ········-·disable_strategy
143 ········-·low_complexity130 ········-·low_complexity
144 ········-·low_disruption131 ········-·low_disruption
145 ········-·CCE-27133-8132 ········-·CCE-27133-8
146 ········-·NIST-800-53-CM-7133 ········-·NIST-800-53-CM-7
147 ····134 ····
148 ····-·name:·Ensure·dhcp·is·removed135 ····-·name:·Disable·service·named
 136 ······service:
 137 ········name="{{item}}"
 138 ········enabled="no"
 139 ········state="stopped"
 140 ······register:·service_result
 141 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 142 ······with_items:
 143 ········-·named
 144 ······tags:
 145 ········-·service_named_disabled
 146 ········-·unknown_severity
 147 ········-·disable_strategy
 148 ········-·low_complexity
 149 ········-·low_disruption
 150 ········-·CCE-26873-0
 151 ········-·NIST-800-53-CM-7
 152 ····
 153 ····-·name:·Ensure·bind·is·removed
149 ······package:154 ······package:
150 ········name="{{item}}"155 ········name="{{item}}"
151 ········state=absent156 ········state=absent
152 ······with_items:157 ······with_items:
153 ········-·dhcp158 ········-·bind
154 ······tags:159 ······tags:
155 ········-·package_dhcp_removed160 ········-·package_bind_removed
156 ········-·medium_severity161 ········-·unknown_severity
157 ········-·disable_strategy162 ········-·disable_strategy
158 ········-·low_complexity163 ········-·low_complexity
Max diff block lines reached; 126640/131720 bytes (96.14%) of diff not shown.
147 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-fisma-medium-rhel6-server.yml
    
Offset 32, 46 lines modifiedOffset 32, 46 lines modified
32 ·········msg:·>32 ·········msg:·>
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······sysctl_net_ipv6_conf_default_accept_ra_value:·036 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
37 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·037 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
38 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·038 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
39 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·139 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
40 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·040 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
41 ······sysctl_net_ipv4_conf_default_rp_filter_value:·141 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
42 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·142 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
43 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·143 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
44 ······sysctl_net_ipv4_tcp_syncookies_value:·144 ······sysctl_net_ipv4_tcp_syncookies_value:·1
45 ······sysctl_net_ipv4_conf_all_log_martians_value:·045 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
46 ······sysctl_net_ipv4_conf_all_rp_filter_value:·146 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
47 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·147 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·048 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
49 ······var_selinux_policy_name:·targeted49 ······var_selinux_policy_name:·targeted
50 ······var_selinux_state:·enforcing50 ······var_selinux_state:·enforcing
51 ······var_accounts_password_minlen_login_defs:·1251 ······var_accounts_password_minlen_login_defs:·12
52 ······var_accounts_minimum_age_login_defs:·1 
53 ······var_accounts_maximum_age_login_defs:·120 
54 ······var_accounts_password_warn_age_login_defs:·752 ······var_accounts_password_warn_age_login_defs:·7
 53 ······var_accounts_maximum_age_login_defs:·120
 54 ······var_accounts_minimum_age_login_defs:·1
55 ······var_account_disable_post_pw_expiration:·9055 ······var_account_disable_post_pw_expiration:·90
56 ······var_password_pam_unix_remember:·2456 ······var_password_pam_unix_remember:·24
57 ······var_accounts_passwords_pam_faillock_deny:·357 ······var_accounts_passwords_pam_faillock_deny:·3
58 ······var_accounts_passwords_pam_faillock_unlock_time:·60480058 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
59 ······var_accounts_passwords_pam_faillock_fail_interval:·90059 ······var_accounts_passwords_pam_faillock_fail_interval:·900
60 ······var_password_pam_maxrepeat:·360 ······var_password_pam_maxrepeat:·3
61 ······var_password_pam_retry:·361 ······var_password_pam_retry:·3
62 ······var_accounts_max_concurrent_login_sessions:·162 ······var_accounts_max_concurrent_login_sessions:·1
 63 ······var_removable_partition:·/dev/cdrom
 64 ······var_removable_partition:·/dev/cdrom
 65 ······var_removable_partition:·/dev/cdrom
63 ······var_auditd_max_log_file:·166 ······var_auditd_max_log_file:·1
64 ······var_auditd_action_mail_acct:·admin67 ······var_auditd_action_mail_acct:·admin
65 ······var_auditd_space_left_action:·suspend 
66 ······var_auditd_admin_space_left_action:·halt68 ······var_auditd_admin_space_left_action:·halt
 69 ······var_auditd_space_left_action:·suspend
67 ······var_auditd_max_log_file_action:·ignore70 ······var_auditd_max_log_file_action:·ignore
68 ······var_removable_partition:·/dev/cdrom 
69 ······var_removable_partition:·/dev/cdrom 
70 ······var_removable_partition:·/dev/cdrom 
71 ···tasks:71 ···tasks:
72 ····-·name:·Enable·service·ntpd72 ····-·name:·Enable·service·ntpd
73 ······service:73 ······service:
74 ········name="{{item}}"74 ········name="{{item}}"
75 ········enabled="yes"75 ········enabled="yes"
76 ········state="started"76 ········state="started"
77 ······with_items:77 ······with_items:
Offset 83, 14 lines modifiedOffset 83, 50 lines modified
83 ········-·low_complexity83 ········-·low_complexity
84 ········-·low_disruption84 ········-·low_disruption
85 ········-·CCE-27093-485 ········-·CCE-27093-4
86 ········-·NIST-800-53-AU-8(1)86 ········-·NIST-800-53-AU-8(1)
87 ········-·PCI-DSS-Req-10.487 ········-·PCI-DSS-Req-10.4
88 ········-·DISA-STIG-RHEL-06-00024788 ········-·DISA-STIG-RHEL-06-000247
89 ····89 ····
 90 ····-·name:·Enable·service·crond
 91 ······service:
 92 ········name="{{item}}"
 93 ········enabled="yes"
 94 ········state="started"
 95 ······with_items:
 96 ········-·crond
 97 ······tags:
 98 ········-·service_crond_enabled
 99 ········-·medium_severity
 100 ········-·enable_strategy
 101 ········-·low_complexity
 102 ········-·low_disruption
 103 ········-·CCE-27070-2
 104 ········-·NIST-800-53-CM-7
 105 ········-·DISA-STIG-RHEL-06-000224
 106 ····
 107 ····-·name:·Disable·service·atd
 108 ······service:
 109 ········name="{{item}}"
 110 ········enabled="no"
 111 ········state="stopped"
 112 ······register:·service_result
 113 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 114 ······with_items:
 115 ········-·atd
 116 ······tags:
 117 ········-·service_atd_disabled
 118 ········-·unknown_severity
 119 ········-·disable_strategy
 120 ········-·low_complexity
 121 ········-·low_disruption
 122 ········-·CCE-27249-2
 123 ········-·NIST-800-53-CM-7
 124 ········-·DISA-STIG-RHEL-06-000262
 125 ····
90 ····-·name:·Ensure·rsh·is·removed126 ····-·name:·Ensure·rsh·is·removed
91 ······package:127 ······package:
92 ········name="{{item}}"128 ········name="{{item}}"
93 ········state=absent129 ········state=absent
94 ······with_items:130 ······with_items:
95 ········-·rsh131 ········-·rsh
96 ······tags:132 ······tags:
Offset 243, 50 lines modifiedOffset 279, 14 lines modified
243 ········-·disable_strategy279 ········-·disable_strategy
244 ········-·low_complexity280 ········-·low_complexity
245 ········-·low_disruption281 ········-·low_disruption
246 ········-·CCE-27005-8282 ········-·CCE-27005-8
247 ········-·NIST-800-53-CM-7283 ········-·NIST-800-53-CM-7
248 ········-·DISA-STIG-RHEL-06-000204284 ········-·DISA-STIG-RHEL-06-000204
249 ····285 ····
250 ····-·name:·Enable·service·crond 
251 ······service: 
252 ········name="{{item}}" 
253 ········enabled="yes" 
254 ········state="started" 
255 ······with_items: 
256 ········-·crond 
257 ······tags: 
258 ········-·service_crond_enabled 
259 ········-·medium_severity 
260 ········-·enable_strategy 
261 ········-·low_complexity 
262 ········-·low_disruption 
263 ········-·CCE-27070-2 
264 ········-·NIST-800-53-CM-7 
265 ········-·DISA-STIG-RHEL-06-000224 
Max diff block lines reached; 145514/150564 bytes (96.65%) of diff not shown.
117 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-ftp-server.yml
    
Offset 33, 42 lines modifiedOffset 33, 57 lines modified
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······sshd_idle_timeout_value:·30036 ······sshd_idle_timeout_value:·300
37 ······rsyslog_remote_loghost_address:·None37 ······rsyslog_remote_loghost_address:·None
38 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·038 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
39 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·039 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
40 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·140 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
41 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·041 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
42 ······sysctl_net_ipv4_conf_default_rp_filter_value:·142 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
43 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·043 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·044 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
45 ······sysctl_net_ipv4_tcp_syncookies_value:·145 ······sysctl_net_ipv4_tcp_syncookies_value:·1
46 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·046 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
47 ······sysctl_net_ipv4_conf_all_log_martians_value:·147 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
48 ······sysctl_net_ipv4_conf_all_rp_filter_value:·148 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
49 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·149 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
50 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·050 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
51 ······var_selinux_policy_name:·targeted51 ······var_selinux_policy_name:·targeted
52 ······var_selinux_state:·enforcing52 ······var_selinux_state:·enforcing
53 ······var_accounts_password_minlen_login_defs:·1553 ······var_accounts_password_minlen_login_defs:·15
54 ······var_accounts_minimum_age_login_defs:·7 
55 ······var_accounts_maximum_age_login_defs:·90 
56 ······var_accounts_password_warn_age_login_defs:·754 ······var_accounts_password_warn_age_login_defs:·7
 55 ······var_accounts_maximum_age_login_defs:·90
 56 ······var_accounts_minimum_age_login_defs:·7
57 ······var_password_pam_unix_remember:·557 ······var_password_pam_unix_remember:·5
58 ······var_accounts_passwords_pam_faillock_deny:·358 ······var_accounts_passwords_pam_faillock_deny:·3
59 ······var_accounts_passwords_pam_faillock_unlock_time:·60480059 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
60 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000060 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
61 ······var_password_pam_retry:·361 ······var_password_pam_retry:·3
62 ······var_accounts_tmout:·60062 ······var_accounts_tmout:·600
 63 ······var_removable_partition:·/dev/cdrom
63 ······var_auditd_max_log_file:·664 ······var_auditd_max_log_file:·6
64 ······var_auditd_admin_space_left_action:·single65 ······var_auditd_admin_space_left_action:·single
65 ······var_auditd_max_log_file_action:·rotate66 ······var_auditd_max_log_file_action:·rotate
66 ······var_removable_partition:·/dev/cdrom 
67 ···tasks:67 ···tasks:
 68 ····-·name:·Ensure·vsftpd·is·installed
 69 ······package:
 70 ········name="{{item}}"
 71 ········state=present
 72 ······with_items:
 73 ········-·vsftpd
 74 ······tags:
 75 ········-·package_vsftpd_installed
 76 ········-·unknown_severity
 77 ········-·enable_strategy
 78 ········-·low_complexity
 79 ········-·low_disruption
 80 ········-·CCE-27187-4
 81 ········-·NIST-800-53-CM-7
 82 ····
68 ····-·name:·Check·if·/etc/samba/smb.conf·exists83 ····-·name:·Check·if·/etc/samba/smb.conf·exists
69 ······stat:84 ······stat:
70 ········path:·/etc/samba/smb.conf85 ········path:·/etc/samba/smb.conf
71 ······register:·st_smb86 ······register:·st_smb
72 ······tags:87 ······tags:
73 ········-·require_smb_client_signing88 ········-·require_smb_client_signing
74 ········-·unknown_severity89 ········-·unknown_severity
Offset 108, 14 lines modifiedOffset 123, 81 lines modified
108 ········-·low_complexity123 ········-·low_complexity
109 ········-·low_disruption124 ········-·low_disruption
110 ········-·CCE-27093-4125 ········-·CCE-27093-4
111 ········-·NIST-800-53-AU-8(1)126 ········-·NIST-800-53-AU-8(1)
112 ········-·PCI-DSS-Req-10.4127 ········-·PCI-DSS-Req-10.4
113 ········-·DISA-STIG-RHEL-06-000247128 ········-·DISA-STIG-RHEL-06-000247
114 ····129 ····
 130 ····-·name:·Ensure·openldap-servers·is·removed
 131 ······package:
 132 ········name="{{item}}"
 133 ········state=absent
 134 ······with_items:
 135 ········-·openldap-servers
 136 ······tags:
 137 ········-·package_openldap-servers_removed
 138 ········-·unknown_severity
 139 ········-·disable_strategy
 140 ········-·low_complexity
 141 ········-·low_disruption
 142 ········-·CCE-26858-1
 143 ········-·NIST-800-53-CM-7
 144 ········-·DISA-STIG-RHEL-06-000256
 145 ····
 146 ····-·name:·Enable·service·crond
 147 ······service:
 148 ········name="{{item}}"
 149 ········enabled="yes"
 150 ········state="started"
 151 ······with_items:
 152 ········-·crond
 153 ······tags:
 154 ········-·service_crond_enabled
 155 ········-·medium_severity
 156 ········-·enable_strategy
 157 ········-·low_complexity
 158 ········-·low_disruption
 159 ········-·CCE-27070-2
 160 ········-·NIST-800-53-CM-7
 161 ········-·DISA-STIG-RHEL-06-000224
 162 ····
 163 ····-·name:·Disable·service·atd
 164 ······service:
 165 ········name="{{item}}"
 166 ········enabled="no"
 167 ········state="stopped"
 168 ······register:·service_result
 169 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 170 ······with_items:
 171 ········-·atd
 172 ······tags:
 173 ········-·service_atd_disabled
 174 ········-·unknown_severity
 175 ········-·disable_strategy
 176 ········-·low_complexity
 177 ········-·low_disruption
 178 ········-·CCE-27249-2
 179 ········-·NIST-800-53-CM-7
 180 ········-·DISA-STIG-RHEL-06-000262
 181 ····
 182 ····-·name:·Ensure·xorg-x11-server-common·is·removed
 183 ······package:
 184 ········name="{{item}}"
 185 ········state=absent
 186 ······with_items:
 187 ········-·xorg-x11-server-common
 188 ······tags:
Max diff block lines reached; 114906/119566 bytes (96.10%) of diff not shown.
171 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-nist-CL-IL-AL.yml
    
Offset 38, 75 lines modifiedOffset 38, 61 lines modified
38 ··········38 ··········
39 ···vars:39 ···vars:
40 ······sshd_idle_timeout_value:·30040 ······sshd_idle_timeout_value:·300
41 ······rsyslog_remote_loghost_address:·None41 ······rsyslog_remote_loghost_address:·None
42 ······sysctl_net_ipv6_conf_default_accept_ra_value:·042 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
43 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·044 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
45 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·145 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
46 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·046 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
47 ······sysctl_net_ipv4_conf_default_rp_filter_value:·147 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
48 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·148 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
49 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·149 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
50 ······sysctl_net_ipv4_tcp_syncookies_value:·150 ······sysctl_net_ipv4_tcp_syncookies_value:·1
51 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·051 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
52 ······sysctl_net_ipv4_conf_all_log_martians_value:·152 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
53 ······sysctl_net_ipv4_conf_all_rp_filter_value:·153 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
54 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·154 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
55 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·055 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
56 ······var_selinux_policy_name:·targeted56 ······var_selinux_policy_name:·targeted
57 ······var_selinux_state:·enforcing57 ······var_selinux_state:·enforcing
58 ······var_accounts_password_minlen_login_defs:·1558 ······var_accounts_password_minlen_login_defs:·15
59 ······var_accounts_minimum_age_login_defs:·7 
60 ······var_accounts_maximum_age_login_defs:·90 
61 ······var_accounts_password_warn_age_login_defs:·759 ······var_accounts_password_warn_age_login_defs:·7
 60 ······var_accounts_maximum_age_login_defs:·90
 61 ······var_accounts_minimum_age_login_defs:·7
62 ······var_account_disable_post_pw_expiration:·4062 ······var_account_disable_post_pw_expiration:·40
63 ······var_password_pam_unix_remember:·563 ······var_password_pam_unix_remember:·5
64 ······var_accounts_passwords_pam_faillock_deny:·364 ······var_accounts_passwords_pam_faillock_deny:·3
65 ······var_accounts_passwords_pam_faillock_unlock_time:·90065 ······var_accounts_passwords_pam_faillock_unlock_time:·900
66 ······var_accounts_passwords_pam_faillock_fail_interval:·90066 ······var_accounts_passwords_pam_faillock_fail_interval:·900
67 ······var_password_pam_retry:·367 ······var_password_pam_retry:·3
68 ······var_accounts_tmout:·60068 ······var_accounts_tmout:·600
 69 ······var_removable_partition:·/dev/cdrom
 70 ······var_removable_partition:·/dev/cdrom
 71 ······var_removable_partition:·/dev/cdrom
69 ······var_auditd_max_log_file:·672 ······var_auditd_max_log_file:·6
70 ······var_auditd_action_mail_acct:·admin73 ······var_auditd_action_mail_acct:·admin
71 ······var_auditd_space_left_action:·suspend 
72 ······var_auditd_admin_space_left_action:·single74 ······var_auditd_admin_space_left_action:·single
 75 ······var_auditd_space_left_action:·suspend
73 ······var_auditd_max_log_file_action:·rotate76 ······var_auditd_max_log_file_action:·rotate
74 ······var_removable_partition:·/dev/cdrom 
75 ······var_removable_partition:·/dev/cdrom 
76 ······var_removable_partition:·/dev/cdrom 
77 ···tasks:77 ···tasks:
78 ····-·name:·Check·if·/etc/samba/smb.conf·exists78 ····-·name:·Ensure·vsftpd·is·removed
79 ······stat:79 ······package:
80 ········path:·/etc/samba/smb.conf80 ········name="{{item}}"
81 ······register:·st_smb81 ········state=absent
82 ······tags:82 ······with_items:
83 ········-·require_smb_client_signing83 ········-·vsftpd
84 ········-·unknown_severity 
85 ········-·configure_strategy 
86 ········-·low_complexity 
87 ········-·medium_disruption 
88 ········-·CCE-26328-5 
89 ········-·DISA-STIG-RHEL-06-000272 
90 ···· 
91 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient 
92 ······lineinfile: 
93 ········dest:·/etc/samba/smb.conf 
94 ········line:·client·signing·=·mandatory 
95 ········state:·present 
96 ········insertafter:·[global] 
97 ······when:·st_smb.stat.exists 
98 ······tags:84 ······tags:
99 ········-·require_smb_client_signing85 ········-·package_vsftpd_removed
100 ········-·unknown_severity86 ········-·unknown_severity
101 ········-·configure_strategy87 ········-·disable_strategy
102 ········-·low_complexity88 ········-·low_complexity
103 ········-·medium_disruption89 ········-·low_disruption
104 ········-·CCE-26328-590 ········-·CCE-26687-4
105 ········-·DISA-STIG-RHEL-06-00027291 ········-·NIST-800-53-CM-7
106 ····92 ····
107 ····-·name:·Disable·service·httpd93 ····-·name:·Disable·service·httpd
108 ······service:94 ······service:
109 ········name="{{item}}"95 ········name="{{item}}"
110 ········enabled="no"96 ········enabled="no"
111 ········state="stopped"97 ········state="stopped"
112 ······register:·service_result98 ······register:·service_result
Offset 133, 62 lines modifiedOffset 119, 75 lines modified
133 ········-·unknown_severity119 ········-·unknown_severity
134 ········-·disable_strategy120 ········-·disable_strategy
135 ········-·low_complexity121 ········-·low_complexity
136 ········-·low_disruption122 ········-·low_disruption
137 ········-·CCE-27133-8123 ········-·CCE-27133-8
138 ········-·NIST-800-53-CM-7124 ········-·NIST-800-53-CM-7
139 ····125 ····
140 ····-·name:·Ensure·sendmail·is·removed126 ····-·name:·Disable·service·named
141 ······package:127 ······service:
142 ········name="{{item}}"128 ········name="{{item}}"
143 ········state=absent129 ········enabled="no"
 130 ········state="stopped"
 131 ······register:·service_result
 132 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
144 ······with_items:133 ······with_items:
145 ········-·sendmail134 ········-·named
146 ······tags:135 ······tags:
147 ········-·package_sendmail_removed136 ········-·service_named_disabled
148 ········-·medium_severity137 ········-·unknown_severity
149 ········-·disable_strategy138 ········-·disable_strategy
150 ········-·low_complexity139 ········-·low_complexity
151 ········-·low_disruption140 ········-·low_disruption
152 ········-·CCE-27515-6141 ········-·CCE-26873-0
153 ········-·NIST-800-53-CM-7142 ········-·NIST-800-53-CM-7
154 ········-·DISA-STIG-RHEL-06-000288 
155 ····143 ····
156 ····-·name:·Ensure·dhcp·is·removed144 ····-·name:·Ensure·bind·is·removed
157 ······package:145 ······package:
158 ········name="{{item}}"146 ········name="{{item}}"
159 ········state=absent147 ········state=absent
160 ······with_items:148 ······with_items:
161 ········-·dhcp149 ········-·bind
162 ······tags:150 ······tags:
163 ········-·package_dhcp_removed151 ········-·package_bind_removed
164 ········-·medium_severity152 ········-·unknown_severity
165 ········-·disable_strategy153 ········-·disable_strategy
166 ········-·low_complexity154 ········-·low_complexity
167 ········-·low_disruption155 ········-·low_disruption
168 ········-·CCE-27120-5156 ········-·CCE-27030-6
169 ········-·NIST-800-53-CM-7157 ········-·NIST-800-53-CM-7
170 ····158 ····
171 ····-·name:·Disable·service·dhcpd159 ····-·name:·Check·if·/etc/samba/smb.conf·exists
172 ······service:160 ······stat:
173 ········name="{{item}}"161 ········path:·/etc/samba/smb.conf
174 ········enabled="no"162 ······register:·st_smb
Max diff block lines reached; 169386/174902 bytes (96.85%) of diff not shown.
89.4 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-pci-dss.yml
    
Offset 39, 16 lines modifiedOffset 39, 16 lines modified
39 ······var_password_pam_unix_remember:·439 ······var_password_pam_unix_remember:·4
40 ······var_accounts_passwords_pam_faillock_deny:·640 ······var_accounts_passwords_pam_faillock_deny:·6
41 ······var_accounts_passwords_pam_faillock_unlock_time:·180041 ······var_accounts_passwords_pam_faillock_unlock_time:·1800
42 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000042 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
43 ······var_password_pam_minlen:·743 ······var_password_pam_minlen:·7
44 ······var_auditd_max_log_file:·144 ······var_auditd_max_log_file:·1
45 ······var_auditd_action_mail_acct:·admin45 ······var_auditd_action_mail_acct:·admin
46 ······var_auditd_space_left_action:·suspend 
47 ······var_auditd_admin_space_left_action:·suspend46 ······var_auditd_admin_space_left_action:·suspend
 47 ······var_auditd_space_left_action:·suspend
48 ······var_auditd_max_log_file_action:·ignore48 ······var_auditd_max_log_file_action:·ignore
49 ···tasks:49 ···tasks:
50 ····-·name:·Enable·service·ntpd50 ····-·name:·Enable·service·ntpd
51 ······service:51 ······service:
52 ········name="{{item}}"52 ········name="{{item}}"
53 ········enabled="yes"53 ········enabled="yes"
54 ········state="started"54 ········state="started"
Offset 83, 439 lines modifiedOffset 83, 14 lines modified
83 ········-·low_disruption83 ········-·low_disruption
84 ········-·CCE-26919-184 ········-·CCE-26919-1
85 ········-·NIST-800-53-AC-2(5)85 ········-·NIST-800-53-AC-2(5)
86 ········-·NIST-800-53-SA-886 ········-·NIST-800-53-SA-8
87 ········-·PCI-DSS-Req-8.1.887 ········-·PCI-DSS-Req-8.1.8
88 ········-·DISA-STIG-RHEL-06-00023088 ········-·DISA-STIG-RHEL-06-000230
89 ····89 ····
90 ····-·name:·"Read·list·of·files·with·incorrect·permissions" 
91 ······shell:·"rpm·-Va·|·grep·'^.M'·|·cut·-d·'·'·-f5-·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" 
92 ······register:·files_with_incorrect_permissions 
93 ······failed_when:·False 
94 ······changed_when:·False 
95 ······check_mode:·no 
96 ······tags: 
97 ········-·rpm_verify_permissions 
98 ········-·unknown_severity 
99 ········-·restrict_strategy 
100 ········-·high_complexity 
101 ········-·medium_disruption 
102 ········-·CCE-26731-0 
103 ········-·NIST-800-53-AC-6 
104 ········-·NIST-800-53-CM-6(d) 
105 ········-·NIST-800-53-SI-7 
106 ········-·PCI-DSS-Req-11.5 
107 ········-·DISA-STIG-RHEL-06-000518 
108 ···· 
109 ····-·name:·"Correct·file·permissions·with·RPM" 
110 ······shell:·"rpm·--setperms·$(rpm·-qf·'{{item}}')" 
111 ······with_items:·"{{·files_with_incorrect_permissions.stdout_lines·}}" 
112 ······when:·files_with_incorrect_permissions.stdout_lines·|·length·>·0 
113 ······tags: 
114 ········-·rpm_verify_permissions 
115 ········-·unknown_severity 
116 ········-·restrict_strategy 
117 ········-·high_complexity 
118 ········-·medium_disruption 
119 ········-·CCE-26731-0 
120 ········-·NIST-800-53-AC-6 
121 ········-·NIST-800-53-CM-6(d) 
122 ········-·NIST-800-53-SI-7 
123 ········-·PCI-DSS-Req-11.5 
124 ········-·DISA-STIG-RHEL-06-000518 
125 ···· 
126 ····-·name:·"Set·fact:·Package·manager·reinstall·command·(dnf)" 
127 ······set_fact: 
128 ········package_manager_reinstall_cmd:·dnf·reinstall·-y 
129 ······when:·ansible_distribution·==·"Fedora" 
130 ······tags: 
131 ········-·rpm_verify_hashes 
132 ········-·unknown_severity 
133 ········-·unknown_strategy 
134 ········-·high_complexity 
135 ········-·medium_disruption 
136 ········-·CCE-27223-7 
137 ········-·NIST-800-53-CM-6(d) 
138 ········-·NIST-800-53-SI-7 
139 ········-·PCI-DSS-Req-11.5 
140 ········-·DISA-STIG-RHEL-06-000519 
141 ···· 
142 ····-·name:·"Set·fact:·Package·manager·reinstall·command·(yum)" 
143 ······set_fact: 
144 ········package_manager_reinstall_cmd:·yum·reinstall·-y 
145 ······when:·ansible_distribution·==·"RedHat"·or·ansible_distribution·==·"OracleLinux" 
146 ······tags: 
147 ········-·rpm_verify_hashes 
148 ········-·unknown_severity 
149 ········-·unknown_strategy 
150 ········-·high_complexity 
151 ········-·medium_disruption 
152 ········-·CCE-27223-7 
153 ········-·NIST-800-53-CM-6(d) 
154 ········-·NIST-800-53-SI-7 
155 ········-·PCI-DSS-Req-11.5 
156 ········-·DISA-STIG-RHEL-06-000519 
157 ···· 
158 ····-·name:·"Read·files·with·incorrect·hash" 
159 ······shell:·"rpm·-Va·|·grep·-E·'^..5.*·/(bin|sbin|lib|lib64|usr)/'·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" 
160 ······register:·files_with_incorrect_hash 
161 ······changed_when:·False 
162 ······when:·package_manager_reinstall_cmd·is·defined 
163 ······check_mode:·no 
164 ······tags: 
165 ········-·rpm_verify_hashes 
166 ········-·unknown_severity 
167 ········-·unknown_strategy 
168 ········-·high_complexity 
169 ········-·medium_disruption 
170 ········-·CCE-27223-7 
171 ········-·NIST-800-53-CM-6(d) 
172 ········-·NIST-800-53-SI-7 
173 ········-·PCI-DSS-Req-11.5 
174 ········-·DISA-STIG-RHEL-06-000519 
175 ···· 
176 ····-·name:·"Reinstall·packages·of·files·with·incorrect·hash" 
177 ······shell:·"{{package_manager_reinstall_cmd}}·$(rpm·-qf·'{{item}}')" 
178 ······with_items:·"{{·files_with_incorrect_hash.stdout_lines·}}" 
179 ······when:·package_manager_reinstall_cmd·is·defined·and·(files_with_incorrect_hash.stdout_lines·|·length·>·0) 
180 ······tags: 
181 ········-·rpm_verify_hashes 
182 ········-·unknown_severity 
183 ········-·unknown_strategy 
184 ········-·high_complexity 
185 ········-·medium_disruption 
186 ········-·CCE-27223-7 
187 ········-·NIST-800-53-CM-6(d) 
188 ········-·NIST-800-53-SI-7 
189 ········-·PCI-DSS-Req-11.5 
190 ········-·DISA-STIG-RHEL-06-000519 
191 ···· 
Max diff block lines reached; 77885/91457 bytes (85.16%) of diff not shown.
26.4 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-rht-ccp.yml
    
Offset 33, 23 lines modifiedOffset 33, 42 lines modified
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······sshd_idle_timeout_value:·30036 ······sshd_idle_timeout_value:·300
37 ······var_selinux_policy_name:·targeted37 ······var_selinux_policy_name:·targeted
38 ······var_selinux_state:·enforcing38 ······var_selinux_state:·enforcing
39 ······var_accounts_password_minlen_login_defs:·639 ······var_accounts_password_minlen_login_defs:·6
40 ······var_accounts_minimum_age_login_defs:·7 
41 ······var_accounts_maximum_age_login_defs:·120 
42 ······var_accounts_password_warn_age_login_defs:·740 ······var_accounts_password_warn_age_login_defs:·7
 41 ······var_accounts_maximum_age_login_defs:·120
 42 ······var_accounts_minimum_age_login_defs:·7
43 ······var_password_pam_unix_remember:·543 ······var_password_pam_unix_remember:·5
44 ······var_accounts_passwords_pam_faillock_deny:·544 ······var_accounts_passwords_pam_faillock_deny:·5
45 ······var_accounts_passwords_pam_faillock_unlock_time:·60480045 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
46 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000046 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
47 ······var_password_pam_retry:·347 ······var_password_pam_retry:·3
48 ···tasks:48 ···tasks:
 49 ····-·name:·Disable·service·atd
 50 ······service:
 51 ········name="{{item}}"
 52 ········enabled="no"
 53 ········state="stopped"
 54 ······register:·service_result
 55 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 56 ······with_items:
 57 ········-·atd
 58 ······tags:
 59 ········-·service_atd_disabled
 60 ········-·unknown_severity
 61 ········-·disable_strategy
 62 ········-·low_complexity
 63 ········-·low_disruption
 64 ········-·CCE-27249-2
 65 ········-·NIST-800-53-CM-7
 66 ········-·DISA-STIG-RHEL-06-000262
 67 ····
49 ····-·name:·Ensure·rsh-server·is·removed68 ····-·name:·Ensure·rsh-server·is·removed
50 ······package:69 ······package:
51 ········name="{{item}}"70 ········name="{{item}}"
52 ········state=absent71 ········state=absent
53 ······with_items:72 ······with_items:
54 ········-·rsh-server73 ········-·rsh-server
55 ······tags:74 ······tags:
Offset 179, 33 lines modifiedOffset 198, 14 lines modified
179 ········-·disable_strategy198 ········-·disable_strategy
180 ········-·low_complexity199 ········-·low_complexity
181 ········-·low_disruption200 ········-·low_disruption
182 ········-·CCE-27005-8201 ········-·CCE-27005-8
183 ········-·NIST-800-53-CM-7202 ········-·NIST-800-53-CM-7
184 ········-·DISA-STIG-RHEL-06-000204203 ········-·DISA-STIG-RHEL-06-000204
185 ····204 ····
186 ····-·name:·Disable·service·atd 
187 ······service: 
188 ········name="{{item}}" 
189 ········enabled="no" 
190 ········state="stopped" 
191 ······register:·service_result 
192 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" 
193 ······with_items: 
194 ········-·atd 
195 ······tags: 
196 ········-·service_atd_disabled 
197 ········-·unknown_severity 
198 ········-·disable_strategy 
199 ········-·low_complexity 
200 ········-·low_disruption 
201 ········-·CCE-27249-2 
202 ········-·NIST-800-53-CM-7 
203 ········-·DISA-STIG-RHEL-06-000262 
204 ···· 
205 ····-·name:·Disable·service·rdisc205 ····-·name:·Disable·service·rdisc
206 ······service:206 ······service:
207 ········name="{{item}}"207 ········name="{{item}}"
208 ········enabled="no"208 ········enabled="no"
209 ········state="stopped"209 ········state="stopped"
210 ······register:·service_result210 ······register:·service_result
211 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"211 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 294, 14 lines modifiedOffset 294, 33 lines modified
294 ········-·disable_strategy294 ········-·disable_strategy
295 ········-·low_complexity295 ········-·low_complexity
296 ········-·low_disruption296 ········-·low_disruption
297 ········-·CCE-27256-7297 ········-·CCE-27256-7
298 ········-·NIST-800-53-CM-7298 ········-·NIST-800-53-CM-7
299 ········-·DISA-STIG-RHEL-06-000265299 ········-·DISA-STIG-RHEL-06-000265
300 ····300 ····
 301 ····-·name:·Disable·service·avahi-daemon
 302 ······service:
 303 ········name="{{item}}"
 304 ········enabled="no"
 305 ········state="stopped"
 306 ······register:·service_result
 307 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 308 ······with_items:
 309 ········-·avahi-daemon
 310 ······tags:
 311 ········-·service_avahi-daemon_disabled
 312 ········-·unknown_severity
 313 ········-·disable_strategy
 314 ········-·low_complexity
 315 ········-·low_disruption
 316 ········-·CCE-27087-6
 317 ········-·NIST-800-53-CM-7
 318 ········-·DISA-STIG-RHEL-06-000246
 319 ····
301 ····-·name:·Disable·SSH·Support·for·.rhosts·Files320 ····-·name:·Disable·SSH·Support·for·.rhosts·Files
302 ······lineinfile:321 ······lineinfile:
303 ········create:·yes322 ········create:·yes
304 ········dest:·/etc/ssh/sshd_config323 ········dest:·/etc/ssh/sshd_config
305 ········regexp:·^IgnoreRhosts324 ········regexp:·^IgnoreRhosts
306 ········line:·IgnoreRhosts·yes325 ········line:·IgnoreRhosts·yes
307 ········validate:·sshd·-t·-f·%s326 ········validate:·sshd·-t·-f·%s
Offset 440, 33 lines modifiedOffset 459, 14 lines modified
440 ········-·restrict_strategy459 ········-·restrict_strategy
441 ········-·low_complexity460 ········-·low_complexity
442 ········-·low_disruption461 ········-·low_disruption
443 ········-·CCE-27091-8462 ········-·CCE-27091-8
444 ········-·NIST-800-53-AC-3463 ········-·NIST-800-53-AC-3
445 ········-·DISA-STIG-RHEL-06-000236464 ········-·DISA-STIG-RHEL-06-000236
446 ····465 ····
447 ···· 
448 ····-·name:·"Allow·Only·SSH·Protocol·2" 
449 ······lineinfile: 
450 ········dest:·/etc/ssh/sshd_config 
451 ········regexp:·"^Protocol·[0-9]" 
452 ········line:·"Protocol·2" 
453 ········validate:·sshd·-t·-f·%s 
Max diff block lines reached; 22675/26927 bytes (84.21%) of diff not shown.
116 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-server.yml
    
Offset 34, 41 lines modifiedOffset 34, 41 lines modified
34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
35 ··········35 ··········
36 ···vars:36 ···vars:
37 ······sshd_idle_timeout_value:·30037 ······sshd_idle_timeout_value:·300
38 ······rsyslog_remote_loghost_address:·None38 ······rsyslog_remote_loghost_address:·None
39 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·039 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
40 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·040 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
41 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·141 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
42 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·042 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
43 ······sysctl_net_ipv4_conf_default_rp_filter_value:·143 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
44 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·044 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
45 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
46 ······sysctl_net_ipv4_tcp_syncookies_value:·146 ······sysctl_net_ipv4_tcp_syncookies_value:·1
47 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·047 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
48 ······sysctl_net_ipv4_conf_all_log_martians_value:·148 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
49 ······sysctl_net_ipv4_conf_all_rp_filter_value:·149 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
50 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·150 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
51 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·051 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
52 ······var_selinux_policy_name:·targeted52 ······var_selinux_policy_name:·targeted
53 ······var_selinux_state:·enforcing53 ······var_selinux_state:·enforcing
54 ······var_accounts_password_minlen_login_defs:·1554 ······var_accounts_password_minlen_login_defs:·15
55 ······var_accounts_minimum_age_login_defs:·7 
56 ······var_accounts_maximum_age_login_defs:·90 
57 ······var_accounts_password_warn_age_login_defs:·755 ······var_accounts_password_warn_age_login_defs:·7
 56 ······var_accounts_maximum_age_login_defs:·90
 57 ······var_accounts_minimum_age_login_defs:·7
58 ······var_password_pam_unix_remember:·558 ······var_password_pam_unix_remember:·5
59 ······var_accounts_passwords_pam_faillock_deny:·359 ······var_accounts_passwords_pam_faillock_deny:·3
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_tmout:·60063 ······var_accounts_tmout:·600
 64 ······var_removable_partition:·/dev/cdrom
64 ······var_auditd_max_log_file:·665 ······var_auditd_max_log_file:·6
65 ······var_auditd_admin_space_left_action:·single66 ······var_auditd_admin_space_left_action:·single
66 ······var_auditd_max_log_file_action:·rotate67 ······var_auditd_max_log_file_action:·rotate
67 ······var_removable_partition:·/dev/cdrom 
68 ···tasks:68 ···tasks:
69 ····-·name:·Check·if·/etc/samba/smb.conf·exists69 ····-·name:·Check·if·/etc/samba/smb.conf·exists
70 ······stat:70 ······stat:
71 ········path:·/etc/samba/smb.conf71 ········path:·/etc/samba/smb.conf
72 ······register:·st_smb72 ······register:·st_smb
73 ······tags:73 ······tags:
74 ········-·require_smb_client_signing74 ········-·require_smb_client_signing
Offset 109, 14 lines modifiedOffset 109, 81 lines modified
109 ········-·low_complexity109 ········-·low_complexity
110 ········-·low_disruption110 ········-·low_disruption
111 ········-·CCE-27093-4111 ········-·CCE-27093-4
112 ········-·NIST-800-53-AU-8(1)112 ········-·NIST-800-53-AU-8(1)
113 ········-·PCI-DSS-Req-10.4113 ········-·PCI-DSS-Req-10.4
114 ········-·DISA-STIG-RHEL-06-000247114 ········-·DISA-STIG-RHEL-06-000247
115 ····115 ····
 116 ····-·name:·Ensure·openldap-servers·is·removed
 117 ······package:
 118 ········name="{{item}}"
 119 ········state=absent
 120 ······with_items:
 121 ········-·openldap-servers
 122 ······tags:
 123 ········-·package_openldap-servers_removed
 124 ········-·unknown_severity
 125 ········-·disable_strategy
 126 ········-·low_complexity
 127 ········-·low_disruption
 128 ········-·CCE-26858-1
 129 ········-·NIST-800-53-CM-7
 130 ········-·DISA-STIG-RHEL-06-000256
 131 ····
 132 ····-·name:·Enable·service·crond
 133 ······service:
 134 ········name="{{item}}"
 135 ········enabled="yes"
 136 ········state="started"
 137 ······with_items:
 138 ········-·crond
 139 ······tags:
 140 ········-·service_crond_enabled
 141 ········-·medium_severity
 142 ········-·enable_strategy
 143 ········-·low_complexity
 144 ········-·low_disruption
 145 ········-·CCE-27070-2
 146 ········-·NIST-800-53-CM-7
 147 ········-·DISA-STIG-RHEL-06-000224
 148 ····
 149 ····-·name:·Disable·service·atd
 150 ······service:
 151 ········name="{{item}}"
 152 ········enabled="no"
 153 ········state="stopped"
 154 ······register:·service_result
 155 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 156 ······with_items:
 157 ········-·atd
 158 ······tags:
 159 ········-·service_atd_disabled
 160 ········-·unknown_severity
 161 ········-·disable_strategy
 162 ········-·low_complexity
 163 ········-·low_disruption
 164 ········-·CCE-27249-2
 165 ········-·NIST-800-53-CM-7
 166 ········-·DISA-STIG-RHEL-06-000262
 167 ····
 168 ····-·name:·Ensure·xorg-x11-server-common·is·removed
 169 ······package:
 170 ········name="{{item}}"
 171 ········state=absent
 172 ······with_items:
 173 ········-·xorg-x11-server-common
 174 ······tags:
 175 ········-·package_xorg-x11-server-common_removed
 176 ········-·unknown_severity
 177 ········-·disable_strategy
 178 ········-·low_complexity
 179 ········-·low_disruption
 180 ········-·CCE-27198-1
 181 ········-·DISA-STIG-RHEL-06-000291
 182 ····
116 ····-·name:·Ensure·rsh-server·is·removed183 ····-·name:·Ensure·rsh-server·is·removed
117 ······package:184 ······package:
118 ········name="{{item}}"185 ········name="{{item}}"
119 ········state=absent186 ········state=absent
120 ······with_items:187 ······with_items:
121 ········-·rsh-server188 ········-·rsh-server
122 ······tags:189 ······tags:
Offset 271, 65 lines modifiedOffset 338, 14 lines modified
Max diff block lines reached; 114413/118830 bytes (96.28%) of diff not shown.
115 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-standard.yml
    
Offset 35, 41 lines modifiedOffset 35, 41 lines modified
35 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."35 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
36 ··········36 ··········
37 ···vars:37 ···vars:
38 ······sshd_idle_timeout_value:·30038 ······sshd_idle_timeout_value:·300
39 ······rsyslog_remote_loghost_address:·None39 ······rsyslog_remote_loghost_address:·None
40 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·040 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
41 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·041 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
42 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·142 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
43 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_rp_filter_value:·144 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
45 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
46 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·046 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
47 ······sysctl_net_ipv4_tcp_syncookies_value:·147 ······sysctl_net_ipv4_tcp_syncookies_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·048 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_all_log_martians_value:·149 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
50 ······sysctl_net_ipv4_conf_all_rp_filter_value:·150 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
51 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·151 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
52 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·052 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
53 ······var_selinux_policy_name:·targeted53 ······var_selinux_policy_name:·targeted
54 ······var_selinux_state:·enforcing54 ······var_selinux_state:·enforcing
55 ······var_accounts_password_minlen_login_defs:·1555 ······var_accounts_password_minlen_login_defs:·15
56 ······var_accounts_minimum_age_login_defs:·7 
57 ······var_accounts_maximum_age_login_defs:·90 
58 ······var_accounts_password_warn_age_login_defs:·756 ······var_accounts_password_warn_age_login_defs:·7
 57 ······var_accounts_maximum_age_login_defs:·90
 58 ······var_accounts_minimum_age_login_defs:·7
59 ······var_password_pam_unix_remember:·559 ······var_password_pam_unix_remember:·5
60 ······var_accounts_passwords_pam_faillock_deny:·360 ······var_accounts_passwords_pam_faillock_deny:·3
61 ······var_accounts_passwords_pam_faillock_unlock_time:·60480061 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
62 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000062 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
63 ······var_password_pam_retry:·363 ······var_password_pam_retry:·3
64 ······var_accounts_tmout:·60064 ······var_accounts_tmout:·600
 65 ······var_removable_partition:·/dev/cdrom
65 ······var_auditd_max_log_file:·666 ······var_auditd_max_log_file:·6
66 ······var_auditd_admin_space_left_action:·single67 ······var_auditd_admin_space_left_action:·single
67 ······var_auditd_max_log_file_action:·rotate68 ······var_auditd_max_log_file_action:·rotate
68 ······var_removable_partition:·/dev/cdrom 
69 ···tasks:69 ···tasks:
70 ····-·name:·Check·if·/etc/samba/smb.conf·exists70 ····-·name:·Check·if·/etc/samba/smb.conf·exists
71 ······stat:71 ······stat:
72 ········path:·/etc/samba/smb.conf72 ········path:·/etc/samba/smb.conf
73 ······register:·st_smb73 ······register:·st_smb
74 ······tags:74 ······tags:
75 ········-·require_smb_client_signing75 ········-·require_smb_client_signing
Offset 110, 14 lines modifiedOffset 110, 66 lines modified
110 ········-·low_complexity110 ········-·low_complexity
111 ········-·low_disruption111 ········-·low_disruption
112 ········-·CCE-27093-4112 ········-·CCE-27093-4
113 ········-·NIST-800-53-AU-8(1)113 ········-·NIST-800-53-AU-8(1)
114 ········-·PCI-DSS-Req-10.4114 ········-·PCI-DSS-Req-10.4
115 ········-·DISA-STIG-RHEL-06-000247115 ········-·DISA-STIG-RHEL-06-000247
116 ····116 ····
 117 ····-·name:·Ensure·openldap-servers·is·removed
 118 ······package:
 119 ········name="{{item}}"
 120 ········state=absent
 121 ······with_items:
 122 ········-·openldap-servers
 123 ······tags:
 124 ········-·package_openldap-servers_removed
 125 ········-·unknown_severity
 126 ········-·disable_strategy
 127 ········-·low_complexity
 128 ········-·low_disruption
 129 ········-·CCE-26858-1
 130 ········-·NIST-800-53-CM-7
 131 ········-·DISA-STIG-RHEL-06-000256
 132 ····
 133 ····-·name:·Enable·service·crond
 134 ······service:
 135 ········name="{{item}}"
 136 ········enabled="yes"
 137 ········state="started"
 138 ······with_items:
 139 ········-·crond
 140 ······tags:
 141 ········-·service_crond_enabled
 142 ········-·medium_severity
 143 ········-·enable_strategy
 144 ········-·low_complexity
 145 ········-·low_disruption
 146 ········-·CCE-27070-2
 147 ········-·NIST-800-53-CM-7
 148 ········-·DISA-STIG-RHEL-06-000224
 149 ····
 150 ····-·name:·Disable·service·atd
 151 ······service:
 152 ········name="{{item}}"
 153 ········enabled="no"
 154 ········state="stopped"
 155 ······register:·service_result
 156 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 157 ······with_items:
 158 ········-·atd
 159 ······tags:
 160 ········-·service_atd_disabled
 161 ········-·unknown_severity
 162 ········-·disable_strategy
 163 ········-·low_complexity
 164 ········-·low_disruption
 165 ········-·CCE-27249-2
 166 ········-·NIST-800-53-CM-7
 167 ········-·DISA-STIG-RHEL-06-000262
 168 ····
117 ····-·name:·Ensure·rsh-server·is·removed169 ····-·name:·Ensure·rsh-server·is·removed
118 ······package:170 ······package:
119 ········name="{{item}}"171 ········name="{{item}}"
120 ········state=absent172 ········state=absent
121 ······with_items:173 ······with_items:
122 ········-·rsh-server174 ········-·rsh-server
123 ······tags:175 ······tags:
Offset 272, 50 lines modifiedOffset 324, 14 lines modified
272 ········-·disable_strategy324 ········-·disable_strategy
273 ········-·low_complexity325 ········-·low_complexity
274 ········-·low_disruption326 ········-·low_disruption
275 ········-·CCE-27005-8327 ········-·CCE-27005-8
276 ········-·NIST-800-53-CM-7328 ········-·NIST-800-53-CM-7
277 ········-·DISA-STIG-RHEL-06-000204329 ········-·DISA-STIG-RHEL-06-000204
278 ····330 ····
279 ····-·name:·Enable·service·crond 
280 ······service: 
281 ········name="{{item}}" 
282 ········enabled="yes" 
283 ········state="started" 
284 ······with_items: 
285 ········-·crond 
286 ······tags: 
Max diff block lines reached; 112847/118018 bytes (95.62%) of diff not shown.
148 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-stig-rhel6-disa.yml
    
Offset 40, 49 lines modifiedOffset 40, 49 lines modified
40 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."40 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
41 ··········41 ··········
42 ···vars:42 ···vars:
43 ······sshd_idle_timeout_value:·90043 ······sshd_idle_timeout_value:·900
44 ······rsyslog_remote_loghost_address:·None44 ······rsyslog_remote_loghost_address:·None
45 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·045 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
46 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·046 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
47 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·147 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
48 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·048 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_default_rp_filter_value:·149 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
50 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·050 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
51 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·051 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
52 ······sysctl_net_ipv4_tcp_syncookies_value:·152 ······sysctl_net_ipv4_tcp_syncookies_value:·1
53 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·053 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
54 ······sysctl_net_ipv4_conf_all_log_martians_value:·154 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
55 ······sysctl_net_ipv4_conf_all_rp_filter_value:·155 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
56 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·156 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
57 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·057 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
58 ······var_selinux_policy_name:·targeted58 ······var_selinux_policy_name:·targeted
59 ······var_selinux_state:·enforcing59 ······var_selinux_state:·enforcing
60 ······var_accounts_password_minlen_login_defs:·1560 ······var_accounts_password_minlen_login_defs:·15
61 ······var_accounts_minimum_age_login_defs:·1 
62 ······var_accounts_maximum_age_login_defs:·60 
63 ······var_accounts_password_warn_age_login_defs:·761 ······var_accounts_password_warn_age_login_defs:·7
 62 ······var_accounts_maximum_age_login_defs:·60
 63 ······var_accounts_minimum_age_login_defs:·1
64 ······var_account_disable_post_pw_expiration:·3564 ······var_account_disable_post_pw_expiration:·35
65 ······var_password_pam_unix_remember:·565 ······var_password_pam_unix_remember:·5
66 ······var_accounts_passwords_pam_faillock_deny:·366 ······var_accounts_passwords_pam_faillock_deny:·3
67 ······var_accounts_passwords_pam_faillock_unlock_time:·60480067 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
68 ······var_accounts_passwords_pam_faillock_fail_interval:·90068 ······var_accounts_passwords_pam_faillock_fail_interval:·900
69 ······var_password_pam_maxrepeat:·369 ······var_password_pam_maxrepeat:·3
70 ······var_password_pam_retry:·370 ······var_password_pam_retry:·3
71 ······var_accounts_user_umask:·07771 ······var_accounts_user_umask:·077
72 ······var_accounts_tmout:·60072 ······var_accounts_tmout:·600
73 ······var_accounts_max_concurrent_login_sessions:·1073 ······var_accounts_max_concurrent_login_sessions:·10
 74 ······var_removable_partition:·/dev/cdrom
 75 ······var_removable_partition:·/dev/cdrom
 76 ······var_removable_partition:·/dev/cdrom
74 ······var_auditd_max_log_file:·677 ······var_auditd_max_log_file:·6
75 ······var_auditd_action_mail_acct:·admin78 ······var_auditd_action_mail_acct:·admin
76 ······var_auditd_space_left_action:·suspend 
77 ······var_auditd_admin_space_left_action:·single79 ······var_auditd_admin_space_left_action:·single
 80 ······var_auditd_space_left_action:·suspend
78 ······var_auditd_max_log_file_action:·rotate81 ······var_auditd_max_log_file_action:·rotate
79 ······var_removable_partition:·/dev/cdrom 
80 ······var_removable_partition:·/dev/cdrom 
81 ······var_removable_partition:·/dev/cdrom 
82 ···tasks:82 ···tasks:
83 ····-·name:·Check·if·/etc/samba/smb.conf·exists83 ····-·name:·Check·if·/etc/samba/smb.conf·exists
84 ······stat:84 ······stat:
85 ········path:·/etc/samba/smb.conf85 ········path:·/etc/samba/smb.conf
86 ······register:·st_smb86 ······register:·st_smb
87 ······tags:87 ······tags:
88 ········-·require_smb_client_signing88 ········-·require_smb_client_signing
Offset 105, 63 lines modifiedOffset 105, 98 lines modified
105 ········-·unknown_severity105 ········-·unknown_severity
106 ········-·configure_strategy106 ········-·configure_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·medium_disruption108 ········-·medium_disruption
109 ········-·CCE-26328-5109 ········-·CCE-26328-5
110 ········-·DISA-STIG-RHEL-06-000272110 ········-·DISA-STIG-RHEL-06-000272
111 ····111 ····
112 ····-·name:·Ensure·sendmail·is·removed112 ····-·name:·Enable·service·ntpd
 113 ······service:
 114 ········name="{{item}}"
 115 ········enabled="yes"
 116 ········state="started"
 117 ······with_items:
 118 ········-·ntpd
 119 ······tags:
 120 ········-·service_ntpd_enabled
 121 ········-·medium_severity
 122 ········-·enable_strategy
 123 ········-·low_complexity
 124 ········-·low_disruption
 125 ········-·CCE-27093-4
 126 ········-·NIST-800-53-AU-8(1)
 127 ········-·PCI-DSS-Req-10.4
 128 ········-·DISA-STIG-RHEL-06-000247
 129 ····
 130 ····-·name:·Ensure·openldap-servers·is·removed
113 ······package:131 ······package:
114 ········name="{{item}}"132 ········name="{{item}}"
115 ········state=absent133 ········state=absent
116 ······with_items:134 ······with_items:
117 ········-·sendmail135 ········-·openldap-servers
118 ······tags:136 ······tags:
119 ········-·package_sendmail_removed137 ········-·package_openldap-servers_removed
120 ········-·medium_severity138 ········-·unknown_severity
121 ········-·disable_strategy139 ········-·disable_strategy
122 ········-·low_complexity140 ········-·low_complexity
123 ········-·low_disruption141 ········-·low_disruption
124 ········-·CCE-27515-6142 ········-·CCE-26858-1
125 ········-·NIST-800-53-CM-7143 ········-·NIST-800-53-CM-7
126 ········-·DISA-STIG-RHEL-06-000288144 ········-·DISA-STIG-RHEL-06-000256
127 ····145 ····
128 ····-·name:·Enable·service·postfix146 ····-·name:·Enable·service·crond
129 ······service:147 ······service:
130 ········name="{{item}}"148 ········name="{{item}}"
131 ········enabled="yes"149 ········enabled="yes"
132 ········state="started"150 ········state="started"
133 ······with_items:151 ······with_items:
134 ········-·postfix152 ········-·crond
135 ······tags:153 ······tags:
136 ········-·service_postfix_enabled154 ········-·service_crond_enabled
137 ········-·unknown_severity155 ········-·medium_severity
138 ········-·enable_strategy156 ········-·enable_strategy
139 ········-·low_complexity157 ········-·low_complexity
140 ········-·low_disruption158 ········-·low_disruption
141 ········-·CCE-26325-1159 ········-·CCE-27070-2
142 ········-·DISA-STIG-RHEL-06-000287160 ········-·NIST-800-53-CM-7
 161 ········-·DISA-STIG-RHEL-06-000224
143 ····162 ····
144 ····-·name:·Enable·service·ntpd163 ····-·name:·Disable·service·atd
145 ······service:164 ······service:
146 ········name="{{item}}"165 ········name="{{item}}"
147 ········enabled="yes"166 ········enabled="no"
148 ········state="started"167 ········state="stopped"
 168 ······register:·service_result
 169 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
149 ······with_items:170 ······with_items:
150 ········-·ntpd171 ········-·atd
151 ······tags:172 ······tags:
152 ········-·service_ntpd_enabled173 ········-·service_atd_disabled
153 ········-·medium_severity174 ········-·unknown_severity
154 ········-·enable_strategy175 ········-·disable_strategy
Max diff block lines reached; 146690/151852 bytes (96.60%) of diff not shown.
161 KB
./usr/share/scap-security-guide/ansible/ssg-rhel6-role-usgcb-rhel6-server.yml
    
Offset 35, 85 lines modifiedOffset 35, 72 lines modified
35 ··········35 ··········
36 ···vars:36 ···vars:
37 ······sshd_idle_timeout_value:·30037 ······sshd_idle_timeout_value:·300
38 ······rsyslog_remote_loghost_address:·None38 ······rsyslog_remote_loghost_address:·None
39 ······sysctl_net_ipv6_conf_default_accept_ra_value:·039 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
40 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·040 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
41 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·041 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
42 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·142 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
43 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_rp_filter_value:·144 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
45 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
46 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 
47 ······sysctl_net_ipv4_tcp_syncookies_value:·146 ······sysctl_net_ipv4_tcp_syncookies_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·047 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_all_log_martians_value:·148 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
50 ······sysctl_net_ipv4_conf_all_rp_filter_value:·149 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
51 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·150 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
 51 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
52 ······var_selinux_policy_name:·targeted52 ······var_selinux_policy_name:·targeted
53 ······var_selinux_state:·enforcing53 ······var_selinux_state:·enforcing
54 ······var_accounts_password_minlen_login_defs:·1254 ······var_accounts_password_minlen_login_defs:·12
55 ······var_accounts_maximum_age_login_defs:·60 
56 ······var_accounts_password_warn_age_login_defs:·1455 ······var_accounts_password_warn_age_login_defs:·14
 56 ······var_accounts_maximum_age_login_defs:·60
57 ······var_account_disable_post_pw_expiration:·3057 ······var_account_disable_post_pw_expiration:·30
58 ······var_password_pam_unix_remember:·2458 ······var_password_pam_unix_remember:·24
59 ······var_accounts_passwords_pam_faillock_deny:·559 ······var_accounts_passwords_pam_faillock_deny:·5
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_user_umask:·07763 ······var_accounts_user_umask:·077
64 ······var_removable_partition:·/dev/cdrom64 ······var_removable_partition:·/dev/cdrom
65 ······var_removable_partition:·/dev/cdrom65 ······var_removable_partition:·/dev/cdrom
66 ······var_removable_partition:·/dev/cdrom66 ······var_removable_partition:·/dev/cdrom
67 ···tasks:67 ···tasks:
68 ····-·name:·Disable·service·smb68 ····-·name:·Disable·service·vsftpd
69 ······service:69 ······service:
70 ········name="{{item}}"70 ········name="{{item}}"
71 ········enabled="no"71 ········enabled="no"
72 ········state="stopped"72 ········state="stopped"
73 ······register:·service_result73 ······register:·service_result
74 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"74 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
75 ······with_items:75 ······with_items:
76 ········-·smb76 ········-·vsftpd
77 ······tags:77 ······tags:
78 ········-·service_smb_disabled78 ········-·service_vsftpd_disabled
79 ········-·unknown_severity79 ········-·unknown_severity
80 ········-·disable_strategy80 ········-·disable_strategy
81 ········-·low_complexity81 ········-·low_complexity
82 ········-·low_disruption82 ········-·low_disruption
83 ········-·CCE-27143-783 ········-·CCE-26948-0
84 ····84 ········-·NIST-800-53-CM-7
85 ····-·name:·Check·if·/etc/samba/smb.conf·exists 
86 ······stat: 
87 ········path:·/etc/samba/smb.conf 
88 ······register:·st_smb 
89 ······tags: 
90 ········-·require_smb_client_signing 
91 ········-·unknown_severity 
92 ········-·configure_strategy 
93 ········-·low_complexity 
94 ········-·medium_disruption 
95 ········-·CCE-26328-5 
96 ········-·DISA-STIG-RHEL-06-000272 
97 ····85 ····
98 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient86 ····-·name:·Ensure·vsftpd·is·removed
99 ······lineinfile:87 ······package:
100 ········dest:·/etc/samba/smb.conf88 ········name="{{item}}"
101 ········line:·client·signing·=·mandatory89 ········state=absent
102 ········state:·present90 ······with_items:
103 ········insertafter:·[global]91 ········-·vsftpd
104 ······when:·st_smb.stat.exists 
105 ······tags:92 ······tags:
106 ········-·require_smb_client_signing93 ········-·package_vsftpd_removed
107 ········-·unknown_severity94 ········-·unknown_severity
108 ········-·configure_strategy95 ········-·disable_strategy
109 ········-·low_complexity96 ········-·low_complexity
110 ········-·medium_disruption97 ········-·low_disruption
111 ········-·CCE-26328-598 ········-·CCE-26687-4
112 ········-·DISA-STIG-RHEL-06-00027299 ········-·NIST-800-53-CM-7
113 ····100 ····
114 ····-·name:·Disable·service·httpd101 ····-·name:·Disable·service·httpd
115 ······service:102 ······service:
116 ········name="{{item}}"103 ········name="{{item}}"
117 ········enabled="no"104 ········enabled="no"
118 ········state="stopped"105 ········state="stopped"
119 ······register:·service_result106 ······register:·service_result
Offset 140, 62 lines modifiedOffset 127, 92 lines modified
140 ········-·unknown_severity127 ········-·unknown_severity
141 ········-·disable_strategy128 ········-·disable_strategy
142 ········-·low_complexity129 ········-·low_complexity
143 ········-·low_disruption130 ········-·low_disruption
144 ········-·CCE-27133-8131 ········-·CCE-27133-8
145 ········-·NIST-800-53-CM-7132 ········-·NIST-800-53-CM-7
146 ····133 ····
147 ····-·name:·Ensure·sendmail·is·removed134 ····-·name:·Disable·service·named
148 ······package:135 ······service:
149 ········name="{{item}}"136 ········name="{{item}}"
150 ········state=absent137 ········enabled="no"
 138 ········state="stopped"
 139 ······register:·service_result
 140 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
151 ······with_items:141 ······with_items:
152 ········-·sendmail142 ········-·named
153 ······tags:143 ······tags:
154 ········-·package_sendmail_removed144 ········-·service_named_disabled
155 ········-·medium_severity145 ········-·unknown_severity
156 ········-·disable_strategy146 ········-·disable_strategy
157 ········-·low_complexity147 ········-·low_complexity
158 ········-·low_disruption148 ········-·low_disruption
159 ········-·CCE-27515-6149 ········-·CCE-26873-0
160 ········-·NIST-800-53-CM-7150 ········-·NIST-800-53-CM-7
161 ········-·DISA-STIG-RHEL-06-000288 
162 ····151 ····
163 ····-·name:·Ensure·dhcp·is·removed152 ····-·name:·Ensure·bind·is·removed
164 ······package:153 ······package:
165 ········name="{{item}}"154 ········name="{{item}}"
166 ········state=absent155 ········state=absent
167 ······with_items:156 ······with_items:
168 ········-·dhcp157 ········-·bind
169 ······tags:158 ······tags:
170 ········-·package_dhcp_removed159 ········-·package_bind_removed
171 ········-·medium_severity160 ········-·unknown_severity
172 ········-·disable_strategy161 ········-·disable_strategy
173 ········-·low_complexity162 ········-·low_complexity
174 ········-·low_disruption163 ········-·low_disruption
175 ········-·CCE-27120-5164 ········-·CCE-27030-6
Max diff block lines reached; 159145/164250 bytes (96.89%) of diff not shown.
100 KB
./usr/share/scap-security-guide/ansible/ssg-rhel7-role-C2S.yml
Ordering differences only
    
Offset 46, 26 lines modifiedOffset 46, 26 lines modified
46 ······sshd_idle_timeout_value:·720046 ······sshd_idle_timeout_value:·7200
47 ······rsyslog_remote_loghost_address:·logcollector47 ······rsyslog_remote_loghost_address:·logcollector
48 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·048 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv6_conf_default_accept_ra_value:·049 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
50 ······sysctl_net_ipv6_conf_all_accept_ra_value:·050 ······sysctl_net_ipv6_conf_all_accept_ra_value:·0
51 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·051 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
52 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·052 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
53 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·153 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
54 ······sysctl_net_ipv4_conf_default_log_martians_value:·154 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
55 ······sysctl_net_ipv4_conf_default_rp_filter_value:·155 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
56 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·056 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
57 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·057 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
58 ······sysctl_net_ipv4_tcp_syncookies_value:·158 ······sysctl_net_ipv4_tcp_syncookies_value:·1
59 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·059 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
60 ······sysctl_net_ipv4_conf_all_log_martians_value:·160 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
61 ······sysctl_net_ipv4_conf_all_rp_filter_value:·161 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
62 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·162 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
63 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·063 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
64 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·064 ······sysctl_net_ipv4_conf_default_log_martians_value:·1
65 ······var_selinux_policy_name:·targeted65 ······var_selinux_policy_name:·targeted
66 ······var_selinux_state:·enforcing66 ······var_selinux_state:·enforcing
67 ······var_accounts_password_warn_age_login_defs:·767 ······var_accounts_password_warn_age_login_defs:·7
68 ······var_accounts_minimum_age_login_defs:·768 ······var_accounts_minimum_age_login_defs:·7
69 ······var_accounts_maximum_age_login_defs:·9069 ······var_accounts_maximum_age_login_defs:·90
70 ······var_account_disable_post_pw_expiration:·3070 ······var_account_disable_post_pw_expiration:·30
71 ······var_password_pam_unix_remember:·571 ······var_password_pam_unix_remember:·5
Offset 274, 14 lines modifiedOffset 274, 30 lines modified
274 ········-·disable_strategy274 ········-·disable_strategy
275 ········-·low_complexity275 ········-·low_complexity
276 ········-·low_disruption276 ········-·low_disruption
277 ········-·CCE-80212-4277 ········-·CCE-80212-4
278 ········-·NIST-800-53-AC-17(8)278 ········-·NIST-800-53-AC-17(8)
279 ········-·NIST-800-53-CM-7279 ········-·NIST-800-53-CM-7
280 ····280 ····
 281 ····-·name:·Ensure·tcp_wrappers·is·installed
 282 ······package:
 283 ········name="{{item}}"
 284 ········state=present
 285 ······with_items:
 286 ········-·tcp_wrappers
 287 ······tags:
 288 ········-·package_tcp_wrappers_installed
 289 ········-·medium_severity
 290 ········-·enable_strategy
 291 ········-·low_complexity
 292 ········-·low_disruption
 293 ········-·CCE-27361-5
 294 ········-·NIST-800-53-CM-6(b)
 295 ········-·DISA-STIG-RHEL-07-TBD
 296 ····
281 ····-·name:·Disable·service·xinetd297 ····-·name:·Disable·service·xinetd
282 ······service:298 ······service:
283 ········name="{{item}}"299 ········name="{{item}}"
284 ········enabled="no"300 ········enabled="no"
285 ········state="stopped"301 ········state="stopped"
286 ······register:·service_result302 ······register:·service_result
287 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"303 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 294, 30 lines modifiedOffset 310, 14 lines modified
294 ········-·low_complexity310 ········-·low_complexity
295 ········-·low_disruption311 ········-·low_disruption
296 ········-·CCE-27443-1312 ········-·CCE-27443-1
297 ········-·NIST-800-53-AC-17(8)313 ········-·NIST-800-53-AC-17(8)
298 ········-·NIST-800-53-CM-7314 ········-·NIST-800-53-CM-7
299 ········-·NIST-800-171-3.4.7315 ········-·NIST-800-171-3.4.7
300 ····316 ····
301 ····-·name:·Ensure·tcp_wrappers·is·installed 
302 ······package: 
303 ········name="{{item}}" 
304 ········state=present 
305 ······with_items: 
306 ········-·tcp_wrappers 
307 ······tags: 
308 ········-·package_tcp_wrappers_installed 
309 ········-·medium_severity 
310 ········-·enable_strategy 
311 ········-·low_complexity 
312 ········-·low_disruption 
313 ········-·CCE-27361-5 
314 ········-·NIST-800-53-CM-6(b) 
315 ········-·DISA-STIG-RHEL-07-TBD 
316 ···· 
317 ····-·name:·Ensure·talk·is·removed317 ····-·name:·Ensure·talk·is·removed
318 ······package:318 ······package:
319 ········name="{{item}}"319 ········name="{{item}}"
320 ········state=absent320 ········state=absent
321 ······with_items:321 ······with_items:
322 ········-·talk322 ········-·talk
323 ······tags:323 ······tags:
Offset 338, 14 lines modifiedOffset 338, 31 lines modified
338 ········-·package_talk-server_removed338 ········-·package_talk-server_removed
339 ········-·medium_severity339 ········-·medium_severity
340 ········-·disable_strategy340 ········-·disable_strategy
341 ········-·low_complexity341 ········-·low_complexity
342 ········-·low_disruption342 ········-·low_disruption
343 ········-·CCE-27210-4343 ········-·CCE-27210-4
344 ····344 ····
 345 ····-·name:·Disable·service·dovecot
 346 ······service:
 347 ········name="{{item}}"
 348 ········enabled="no"
 349 ········state="stopped"
 350 ······register:·service_result
 351 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 352 ······with_items:
 353 ········-·dovecot
 354 ······tags:
 355 ········-·service_dovecot_disabled
 356 ········-·unknown_severity
 357 ········-·disable_strategy
 358 ········-·low_complexity
 359 ········-·low_disruption
 360 ········-·CCE-80294-2
 361 ····
345 ····-·name:·Disable·service·vsftpd362 ····-·name:·Disable·service·vsftpd
346 ······service:363 ······service:
347 ········name="{{item}}"364 ········name="{{item}}"
348 ········enabled="no"365 ········enabled="no"
349 ········state="stopped"366 ········state="stopped"
350 ······register:·service_result367 ······register:·service_result
351 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"368 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 496, 31 lines modifiedOffset 513, 14 lines modified
496 ········-·medium_severity513 ········-·medium_severity
497 ········-·disable_strategy514 ········-·disable_strategy
498 ········-·low_complexity515 ········-·low_complexity
499 ········-·low_disruption516 ········-·low_disruption
500 ········-·CCE-80330-4517 ········-·CCE-80330-4
501 ········-·NIST-800-53-CM-7518 ········-·NIST-800-53-CM-7
Max diff block lines reached; 97763/102303 bytes (95.56%) of diff not shown.
69.1 KB
./usr/share/scap-security-guide/ansible/ssg-rhel7-role-cjis.yml
Ordering differences only
    
Offset 37, 28 lines modifiedOffset 37, 28 lines modified
37 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."37 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
38 ··········38 ··········
39 ···vars:39 ···vars:
40 ······sshd_idle_timeout_value:·180040 ······sshd_idle_timeout_value:·1800
41 ······sshd_listening_port:·2241 ······sshd_listening_port:·22
42 ······inactivity_timeout_value:·180042 ······inactivity_timeout_value:·1800
43 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·043 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
44 ······sysctl_net_ipv4_tcp_syncookies_value:·1 
45 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 
46 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·144 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
47 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·045 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
 46 ······sysctl_net_ipv4_tcp_syncookies_value:·1
 47 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
48 ······var_accounts_minimum_age_login_defs:·148 ······var_accounts_minimum_age_login_defs:·1
49 ······var_account_disable_post_pw_expiration:·049 ······var_account_disable_post_pw_expiration:·0
50 ······var_password_pam_minlen:·1250 ······var_password_pam_minlen:·12
51 ······var_password_pam_difok:·651 ······var_password_pam_difok:·6
52 ······var_accounts_max_concurrent_login_sessions:·352 ······var_accounts_max_concurrent_login_sessions:·3
53 ······var_auditd_max_log_file:·153 ······var_auditd_max_log_file:·1
54 ······var_auditd_action_mail_acct:·admin54 ······var_auditd_action_mail_acct:·admin
55 ······var_auditd_space_left_action:·suspend 
56 ······var_auditd_admin_space_left_action:·suspend55 ······var_auditd_admin_space_left_action:·suspend
57 ······var_auditd_max_log_file_action:·rotate56 ······var_auditd_max_log_file_action:·rotate
 57 ······var_auditd_space_left_action:·suspend
58 ···tasks:58 ···tasks:
59 ····-·name:·Disable·SSH·Access·via·Empty·Passwords59 ····-·name:·Disable·SSH·Access·via·Empty·Passwords
60 ······lineinfile:60 ······lineinfile:
61 ········create:·yes61 ········create:·yes
62 ········dest:·/etc/ssh/sshd_config62 ········dest:·/etc/ssh/sshd_config
63 ········regexp:·^PermitEmptyPasswords63 ········regexp:·^PermitEmptyPasswords
64 ········line:·PermitEmptyPasswords·no64 ········line:·PermitEmptyPasswords·no
Offset 96, 14 lines modifiedOffset 96, 39 lines modified
96 ········-·NIST-800-53-AC-2(5)96 ········-·NIST-800-53-AC-2(5)
97 ········-·NIST-800-53-SA-897 ········-·NIST-800-53-SA-8
98 ········-·NIST-800-53-AC-1298 ········-·NIST-800-53-AC-12
99 ········-·NIST-800-171-3.1.1199 ········-·NIST-800-171-3.1.11
100 ········-·CJIS-5.5.6100 ········-·CJIS-5.5.6
101 ········-·DISA-STIG-RHEL-07-040340101 ········-·DISA-STIG-RHEL-07-040340
102 ····102 ····
 103 ····
 104 ····
 105 ····-·name:·Set·SSH·Idle·Timeout·Interval
 106 ······lineinfile:
 107 ········create:·yes
 108 ········dest:·/etc/ssh/sshd_config
 109 ········regexp:·^ClientAliveInterval
 110 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"
 111 ········validate:·sshd·-t·-f·%s
 112 ······#notify:·restart·sshd
 113 ······tags:
 114 ········-·sshd_set_idle_timeout
 115 ········-·unknown_severity
 116 ········-·restrict_strategy
 117 ········-·low_complexity
 118 ········-·low_disruption
 119 ········-·CCE-27433-2
 120 ········-·NIST-800-53-AC-2(5)
 121 ········-·NIST-800-53-SA-8(i)
 122 ········-·NIST-800-53-AC-12
 123 ········-·NIST-800-171-3.1.11
 124 ········-·PCI-DSS-Req-8.1.8
 125 ········-·CJIS-5.5.6
 126 ········-·DISA-STIG-RHEL-07-040320
 127 ····
103 ····-·name:·Enable·SSH·Warning·Banner128 ····-·name:·Enable·SSH·Warning·Banner
104 ······lineinfile:129 ······lineinfile:
105 ········create:·yes130 ········create:·yes
106 ········dest:·/etc/ssh/sshd_config131 ········dest:·/etc/ssh/sshd_config
107 ········regexp:·^Banner132 ········regexp:·^Banner
108 ········line:·Banner·/etc/issue133 ········line:·Banner·/etc/issue
109 ········validate:·sshd·-t·-f·%s134 ········validate:·sshd·-t·-f·%s
Offset 119, 33 lines modifiedOffset 144, 14 lines modified
119 ········-·NIST-800-53-AC-8(c)(1)144 ········-·NIST-800-53-AC-8(c)(1)
120 ········-·NIST-800-53-AC-8(c)(2)145 ········-·NIST-800-53-AC-8(c)(2)
121 ········-·NIST-800-53-AC-8(c)(3)146 ········-·NIST-800-53-AC-8(c)(3)
122 ········-·NIST-800-171-3.1.9147 ········-·NIST-800-171-3.1.9
123 ········-·CJIS-5.5.6148 ········-·CJIS-5.5.6
124 ········-·DISA-STIG-RHEL-07-040170149 ········-·DISA-STIG-RHEL-07-040170
125 ····150 ····
126 ····-·name:·Do·Not·Allow·SSH·Environment·Options 
127 ······lineinfile: 
128 ········create:·yes 
129 ········dest:·/etc/ssh/sshd_config 
130 ········regexp:·^PermitUserEnvironment 
131 ········line:·PermitUserEnvironment·no 
132 ········validate:·sshd·-t·-f·%s 
133 ······tags: 
134 ········-·sshd_do_not_permit_user_env 
135 ········-·medium_severity 
136 ········-·restrict_strategy 
137 ········-·low_complexity 
138 ········-·low_disruption 
139 ········-·CCE-27363-1 
140 ········-·NIST-800-53-CM-6(b) 
141 ········-·NIST-800-171-3.1.12 
142 ········-·CJIS-5.5.6 
143 ········-·DISA-STIG-RHEL-07-010460 
144 ···· 
145 ····151 ····
146 ····-·name:·"Allow·Only·SSH·Protocol·2"152 ····-·name:·"Allow·Only·SSH·Protocol·2"
147 ······lineinfile:153 ······lineinfile:
148 ········dest:·/etc/ssh/sshd_config154 ········dest:·/etc/ssh/sshd_config
149 ········regexp:·"^Protocol·[0-9]"155 ········regexp:·"^Protocol·[0-9]"
150 ········line:·"Protocol·2"156 ········line:·"Protocol·2"
151 ········validate:·sshd·-t·-f·%s157 ········validate:·sshd·-t·-f·%s
Offset 180, 38 lines modifiedOffset 186, 32 lines modified
180 ········-·CCE-27377-1186 ········-·CCE-27377-1
181 ········-·NIST-800-53-AC-3187 ········-·NIST-800-53-AC-3
182 ········-·NIST-800-53-CM-6(a)188 ········-·NIST-800-53-CM-6(a)
183 ········-·NIST-800-171-3.1.12189 ········-·NIST-800-171-3.1.12
184 ········-·CJIS-5.5.6190 ········-·CJIS-5.5.6
185 ········-·DISA-STIG-RHEL-07-040350191 ········-·DISA-STIG-RHEL-07-040350
186 ····192 ····
187 ····193 ····-·name:·Do·Not·Allow·SSH·Environment·Options
188 ···· 
189 ····-·name:·Set·SSH·Idle·Timeout·Interval 
190 ······lineinfile:194 ······lineinfile:
191 ········create:·yes195 ········create:·yes
192 ········dest:·/etc/ssh/sshd_config196 ········dest:·/etc/ssh/sshd_config
193 ········regexp:·^ClientAliveInterval197 ········regexp:·^PermitUserEnvironment
194 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"198 ········line:·PermitUserEnvironment·no
195 ········validate:·sshd·-t·-f·%s199 ········validate:·sshd·-t·-f·%s
196 ······#notify:·restart·sshd 
197 ······tags:200 ······tags:
198 ········-·sshd_set_idle_timeout201 ········-·sshd_do_not_permit_user_env
199 ········-·unknown_severity202 ········-·medium_severity
200 ········-·restrict_strategy203 ········-·restrict_strategy
Max diff block lines reached; 66416/70623 bytes (94.04%) of diff not shown.
100 KB
./usr/share/scap-security-guide/ansible/ssg-rhel7-role-hipaa.yml
Ordering differences only
    
Offset 220, 14 lines modifiedOffset 220, 28 lines modified
220 ········-·low_complexity220 ········-·low_complexity
221 ········-·low_disruption221 ········-·low_disruption
222 ········-·CCE-27165-0222 ········-·CCE-27165-0
223 ········-·NIST-800-53-AC-17(8)223 ········-·NIST-800-53-AC-17(8)
224 ········-·NIST-800-53-CM-7(a)224 ········-·NIST-800-53-CM-7(a)
225 ········-·DISA-STIG-RHEL-07-021710225 ········-·DISA-STIG-RHEL-07-021710
226 ····226 ····
 227 ····-·name:·Ensure·ypbind·is·removed
 228 ······package:
 229 ········name="{{item}}"
 230 ········state=absent
 231 ······with_items:
 232 ········-·ypbind
 233 ······tags:
 234 ········-·package_ypbind_removed
 235 ········-·unknown_severity
 236 ········-·disable_strategy
 237 ········-·low_complexity
 238 ········-·low_disruption
 239 ········-·CCE-27396-1
 240 ····
227 ····-·name:·Disable·service·ypbind241 ····-·name:·Disable·service·ypbind
228 ······service:242 ······service:
229 ········name="{{item}}"243 ········name="{{item}}"
230 ········enabled="no"244 ········enabled="no"
231 ········state="stopped"245 ········state="stopped"
232 ······register:·service_result246 ······register:·service_result
233 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"247 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 239, 28 lines modifiedOffset 253, 14 lines modified
239 ········-·disable_strategy253 ········-·disable_strategy
240 ········-·low_complexity254 ········-·low_complexity
241 ········-·low_disruption255 ········-·low_disruption
242 ········-·CCE-27385-4256 ········-·CCE-27385-4
243 ········-·NIST-800-53-AC-17(8)257 ········-·NIST-800-53-AC-17(8)
244 ········-·NIST-800-53-CM-7258 ········-·NIST-800-53-CM-7
245 ····259 ····
246 ····-·name:·Ensure·ypbind·is·removed 
247 ······package: 
248 ········name="{{item}}" 
249 ········state=absent 
250 ······with_items: 
251 ········-·ypbind 
252 ······tags: 
253 ········-·package_ypbind_removed 
254 ········-·unknown_severity 
255 ········-·disable_strategy 
256 ········-·low_complexity 
257 ········-·low_disruption 
258 ········-·CCE-27396-1 
259 ···· 
260 ····-·name:·Ensure·ypserv·is·removed260 ····-·name:·Ensure·ypserv·is·removed
261 ······package:261 ······package:
262 ········name="{{item}}"262 ········name="{{item}}"
263 ········state=absent263 ········state=absent
264 ······with_items:264 ······with_items:
265 ········-·ypserv265 ········-·ypserv
266 ······tags:266 ······tags:
Offset 389, 14 lines modifiedOffset 389, 33 lines modified
389 ········-·low_disruption389 ········-·low_disruption
390 ········-·CCE-80258-7390 ········-·CCE-80258-7
391 ········-·NIST-800-53-AC-17(8)391 ········-·NIST-800-53-AC-17(8)
392 ········-·NIST-800-53-CM-7392 ········-·NIST-800-53-CM-7
393 ········-·NIST-800-53-CM-6(b)393 ········-·NIST-800-53-CM-6(b)
394 ········-·DISA-STIG-RHEL-07-021300394 ········-·DISA-STIG-RHEL-07-021300
395 ····395 ····
 396 ····-·name:·"Enable·Use·of·Strict·Mode·Checking"
 397 ······lineinfile:
 398 ········create:·yes
 399 ········dest:·/etc/ssh/sshd_config
 400 ········regexp:·(?i)^#?strictmodes
 401 ········line:·StrictModes·yes
 402 ········validate:·sshd·-t·-f·%s
 403 ······#notify:·restart·sshd
 404 ······tags:
 405 ········-·sshd_enable_strictmodes
 406 ········-·medium_severity
 407 ········-·restrict_strategy
 408 ········-·low_complexity
 409 ········-·low_disruption
 410 ········-·CCE-80222-3
 411 ········-·NIST-800-53-AC-6
 412 ········-·NIST-800-171-3.1.12
 413 ········-·DISA-STIG-RHEL-07-040450
 414 ····
396 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"415 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"
397 ······lineinfile:416 ······lineinfile:
398 ········create:·yes417 ········create:·yes
399 ········dest:·/etc/ssh/sshd_config418 ········dest:·/etc/ssh/sshd_config
400 ········regexp:·^IgnoreUserKnownHosts419 ········regexp:·^IgnoreUserKnownHosts
401 ········line:·IgnoreUserKnownHosts·yes420 ········line:·IgnoreUserKnownHosts·yes
402 ········validate:·sshd·-t·-f·%s421 ········validate:·sshd·-t·-f·%s
Offset 452, 32 lines modifiedOffset 471, 14 lines modified
452 ········-·NIST-800-53-AC-2(5)471 ········-·NIST-800-53-AC-2(5)
453 ········-·NIST-800-53-SA-8472 ········-·NIST-800-53-SA-8
454 ········-·NIST-800-53-AC-12473 ········-·NIST-800-53-AC-12
455 ········-·NIST-800-171-3.1.11474 ········-·NIST-800-171-3.1.11
456 ········-·CJIS-5.5.6475 ········-·CJIS-5.5.6
457 ········-·DISA-STIG-RHEL-07-040340476 ········-·DISA-STIG-RHEL-07-040340
458 ····477 ····
459 ····-·name:·Disable·SSH·Support·for·Rhosts·RSA·Authentication 
460 ······lineinfile: 
461 ········create:·yes 
462 ········dest:·/etc/ssh/sshd_config 
463 ········regexp:·^RhostsRSAAuthentication 
464 ········line:·RhostsRSAAuthentication·no 
465 ········validate:·sshd·-t·-f·%s 
466 ······tags: 
467 ········-·sshd_disable_rhosts_rsa 
468 ········-·medium_severity 
469 ········-·restrict_strategy 
470 ········-·low_complexity 
471 ········-·low_disruption 
472 ········-·CCE-80373-4 
473 ········-·NIST-800-53-CM-6(a) 
474 ········-·NIST-800-171-3.1.12 
475 ········-·DISA-STIG-RHEL-07-040330 
476 ···· 
477 ····-·name:·Enable·SSH·Warning·Banner478 ····-·name:·Enable·SSH·Warning·Banner
478 ······lineinfile:479 ······lineinfile:
479 ········create:·yes480 ········create:·yes
480 ········dest:·/etc/ssh/sshd_config481 ········dest:·/etc/ssh/sshd_config
481 ········regexp:·^Banner482 ········regexp:·^Banner
482 ········line:·Banner·/etc/issue483 ········line:·Banner·/etc/issue
483 ········validate:·sshd·-t·-f·%s484 ········validate:·sshd·-t·-f·%s
Offset 516, 33 lines modifiedOffset 517, 14 lines modified
516 ········-·NIST-800-53-IA-7517 ········-·NIST-800-53-IA-7
517 ········-·NIST-800-53-SC-13518 ········-·NIST-800-53-SC-13
Max diff block lines reached; 98846/102348 bytes (96.58%) of diff not shown.
177 KB
./usr/share/scap-security-guide/ansible/ssg-rhel7-role-nist-800-171-cui.yml
Ordering differences only
    
Offset 50, 93 lines modifiedOffset 50, 93 lines modified
50 ··········50 ··········
51 ···vars:51 ···vars:
52 ······sshd_idle_timeout_value:·60052 ······sshd_idle_timeout_value:·600
53 ······sshd_listening_port:·2253 ······sshd_listening_port:·22
54 ······inactivity_timeout_value:·60054 ······inactivity_timeout_value:·600
55 ······rsyslog_remote_loghost_address:·logcollector55 ······rsyslog_remote_loghost_address:·logcollector
56 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·056 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0
57 ······sysctl_net_ipv6_conf_all_forwarding_value:·0 
58 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·057 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0
 58 ······sysctl_net_ipv6_conf_all_forwarding_value:·0
59 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·059 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0
60 ······sysctl_net_ipv6_conf_default_accept_ra_value:·060 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
61 ······sysctl_net_ipv6_conf_all_accept_ra_value:·061 ······sysctl_net_ipv6_conf_all_accept_ra_value:·0
62 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·062 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
63 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·063 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
64 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·164 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
65 ······sysctl_net_ipv4_conf_default_log_martians_value:·165 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
66 ······sysctl_net_ipv4_conf_default_rp_filter_value:·166 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
67 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·067 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
68 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·068 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
69 ······sysctl_net_ipv4_tcp_syncookies_value:·169 ······sysctl_net_ipv4_tcp_syncookies_value:·1
70 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·070 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
71 ······sysctl_net_ipv4_conf_all_log_martians_value:·171 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
72 ······sysctl_net_ipv4_conf_all_rp_filter_value:·172 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
73 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·173 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
74 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·074 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
75 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·075 ······sysctl_net_ipv4_conf_default_log_martians_value:·1
76 ······var_ssh_sysadm_login:·false76 ······var_ssh_sysadm_login:·false
 77 ······var_login_console_enabled:·true
77 ······var_auditadm_exec_content:·true78 ······var_auditadm_exec_content:·true
78 ······var_selinuxuser_execstack:·true79 ······var_selinuxuser_execstack:·true
79 ······var_mount_anyfile:·true80 ······var_mount_anyfile:·true
80 ······var_daemons_use_tcp_wrapper:·false81 ······var_cron_system_cronjob_use_shares:·false
81 ······var_cron_can_relabel:·false82 ······var_cron_can_relabel:·false
 83 ······var_guest_exec_content:·true
 84 ······var_secure_mode:·false
82 ······var_user_exec_content:·true85 ······var_user_exec_content:·true
83 ······var_deny_ptrace:·false86 ······var_deny_ptrace:·false
84 ······var_guest_exec_content:·true 
85 ······var_xserver_object_manager:·false87 ······var_xserver_object_manager:·false
86 ······var_xdm_sysadm_login:·false88 ······var_xdm_sysadm_login:·false
 89 ······var_sysadm_exec_content:·true
87 ······var_selinuxuser_mysql_connect_enabled:·false90 ······var_selinuxuser_mysql_connect_enabled:·false
88 ······var_xguest_mount_media:·true91 ······var_selinuxuser_udp_server:·false
89 ······var_secure_mode:·false 
90 ······var_ssh_keysign:·false92 ······var_ssh_keysign:·false
91 ······var_staff_exec_content:·true93 ······var_staff_exec_content:·true
 94 ······var_gpg_web_anon_write:·false
92 ······var_xserver_execmem:·false95 ······var_xserver_execmem:·false
93 ······var_secure_mode_insmod:·false96 ······var_cron_userdomain_transition:·true
 97 ······var_xguest_mount_media:·true
94 ······var_selinuxuser_rw_noexattrfile:·true98 ······var_selinuxuser_rw_noexattrfile:·true
95 ······var_deny_execmem:·false99 ······var_deny_execmem:·false
96 ······var_ssh_chroot_rw_homedirs:·false100 ······var_ssh_chroot_rw_homedirs:·false
97 ······var_logging_syslogd_can_sendmail:·false 
98 ······var_abrt_anon_write:·false101 ······var_abrt_anon_write:·false
99 ······var_cron_userdomain_transition:·true102 ······var_kerberos_enabled:·true
100 ······var_logging_syslogd_use_tty:·true103 ······var_logging_syslogd_use_tty:·true
101 ······var_login_console_enabled:·true 
102 ······var_abrt_handle_event:·false104 ······var_abrt_handle_event:·false
 105 ······var_mock_enable_homedirs:·false
 106 ······var_secure_mode_insmod:·false
103 ······var_unconfined_login:·true107 ······var_unconfined_login:·true
 108 ······var_logging_syslogd_can_sendmail:·false
104 ······var_selinuxuser_postgresql_connect_enabled:·false109 ······var_selinuxuser_postgresql_connect_enabled:·false
 110 ······var_daemons_use_tcp_wrapper:·false
105 ······var_abrt_upload_watch_anon_write:·true111 ······var_abrt_upload_watch_anon_write:·true
106 ······var_daemons_use_tty:·false112 ······var_daemons_use_tty:·false
107 ······var_selinuxuser_tcp_server:·false113 ······var_selinuxuser_tcp_server:·false
108 ······var_selinuxuser_direct_dri_enabled:·true114 ······var_selinuxuser_direct_dri_enabled:·true
109 ······var_xdm_bind_vnc_tcp_port:·false115 ······var_xdm_bind_vnc_tcp_port:·false
110 ······var_xserver_clients_write_xshm:·false116 ······var_xserver_clients_write_xshm:·false
111 ······var_use_ecryptfs_home_dirs:·false117 ······var_use_ecryptfs_home_dirs:·false
112 ······var_mock_enable_homedirs:·false 
113 ······var_xguest_exec_content:·true118 ······var_xguest_exec_content:·true
 119 ······var_xdm_write_home:·false
 120 ······var_logadm_exec_content:·true
114 ······var_domain_fd_use:·true121 ······var_domain_fd_use:·true
115 ······var_selinuxuser_udp_server:·false 
116 ······var_mmap_low_allowed:·false122 ······var_mmap_low_allowed:·false
117 ······var_selinuxuser_share_music:·false123 ······var_selinuxuser_share_music:·false
118 ······var_selinuxuser_execmod:·true124 ······var_selinuxuser_execmod:·true
119 ······var_cron_system_cronjob_use_shares:·false 
120 ······var_logadm_exec_content:·true 
121 ······var_xguest_connect_network:·true125 ······var_xguest_connect_network:·true
122 ······var_xdm_write_home:·false 
123 ······var_sysadm_exec_content:·true 
124 ······var_xguest_use_bluetooth:·true126 ······var_xguest_use_bluetooth:·true
125 ······var_kerberos_enabled:·true127 ······var_selinuxuser_execheap:·false
126 ······var_secure_mode_policyload:·false 
127 ······var_daemons_dump_core:·false128 ······var_daemons_dump_core:·false
128 ······var_xdm_exec_bootloader:·false129 ······var_xdm_exec_bootloader:·false
129 ······var_gpg_web_anon_write:·false 
130 ······var_fips_mode:·true130 ······var_fips_mode:·true
131 ······var_polyinstantiation_enabled:·false131 ······var_polyinstantiation_enabled:·false
132 ······var_domain_kernel_load_modules:·false132 ······var_domain_kernel_load_modules:·false
133 ······var_selinuxuser_use_ssh_chroot:·false133 ······var_selinuxuser_use_ssh_chroot:·false
134 ······var_selinuxuser_ping:·true134 ······var_selinuxuser_ping:·true
135 ······var_selinuxuser_execheap:·false135 ······var_secure_mode_policyload:·false
136 ······var_secadm_exec_content:·true136 ······var_secadm_exec_content:·true
137 ······var_selinux_policy_name:·targeted137 ······var_selinux_policy_name:·targeted
138 ······var_selinux_state:·enforcing138 ······var_selinux_state:·enforcing
139 ······var_accounts_password_minlen_login_defs:·6139 ······var_accounts_password_minlen_login_defs:·6
140 ······var_accounts_password_warn_age_login_defs:·7140 ······var_accounts_password_warn_age_login_defs:·7
141 ······var_accounts_minimum_age_login_defs:·7141 ······var_accounts_minimum_age_login_defs:·7
142 ······var_accounts_maximum_age_login_defs:·60142 ······var_accounts_maximum_age_login_defs:·60
Offset 156, 22 lines modifiedOffset 156, 22 lines modified
156 ······var_password_pam_difok:·8156 ······var_password_pam_difok:·8
157 ······var_password_pam_ocredit:·-1157 ······var_password_pam_ocredit:·-1
158 ······var_password_pam_lcredit:·-1158 ······var_password_pam_lcredit:·-1
159 ······var_password_pam_ucredit:·-1159 ······var_password_pam_ucredit:·-1
160 ······var_password_pam_retry:·3160 ······var_password_pam_retry:·3
161 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.161 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
162 ······var_accounts_user_umask:·077162 ······var_accounts_user_umask:·077
 163 ······var_accounts_max_concurrent_login_sessions:·10
163 ······var_accounts_fail_delay:·4164 ······var_accounts_fail_delay:·4
164 ······var_accounts_tmout:·600165 ······var_accounts_tmout:·600
165 ······var_accounts_max_concurrent_login_sessions:·10 
166 ······var_auditd_max_log_file:·6166 ······var_auditd_max_log_file:·6
167 ······var_auditd_action_mail_acct:·root167 ······var_auditd_action_mail_acct:·root
168 ······var_auditd_space_left_action:·email 
169 ······var_auditd_admin_space_left_action:·single168 ······var_auditd_admin_space_left_action:·single
170 ······var_auditd_max_log_file_action:·rotate169 ······var_auditd_max_log_file_action:·rotate
 170 ······var_auditd_space_left_action:·email
171 ······var_removable_partition:·/dev/cdrom171 ······var_removable_partition:·/dev/cdrom
172 ······var_removable_partition:·/dev/cdrom172 ······var_removable_partition:·/dev/cdrom
173 ······var_removable_partition:·/dev/cdrom173 ······var_removable_partition:·/dev/cdrom
Max diff block lines reached; 173777/180658 bytes (96.19%) of diff not shown.
177 KB
./usr/share/scap-security-guide/ansible/ssg-rhel7-role-ospp.yml
Ordering differences only
    
Offset 61, 93 lines modifiedOffset 61, 93 lines modified
61 ··········61 ··········
62 ···vars:62 ···vars:
63 ······sshd_idle_timeout_value:·60063 ······sshd_idle_timeout_value:·600
64 ······sshd_listening_port:·2264 ······sshd_listening_port:·22
65 ······inactivity_timeout_value:·90065 ······inactivity_timeout_value:·900
66 ······rsyslog_remote_loghost_address:·logcollector66 ······rsyslog_remote_loghost_address:·logcollector
67 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·067 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0
68 ······sysctl_net_ipv6_conf_all_forwarding_value:·0 
69 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·068 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0
 69 ······sysctl_net_ipv6_conf_all_forwarding_value:·0
70 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·070 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0
71 ······sysctl_net_ipv6_conf_default_accept_ra_value:·071 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
72 ······sysctl_net_ipv6_conf_all_accept_ra_value:·072 ······sysctl_net_ipv6_conf_all_accept_ra_value:·0
73 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·073 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
74 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·074 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
75 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·175 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
76 ······sysctl_net_ipv4_conf_default_log_martians_value:·176 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
77 ······sysctl_net_ipv4_conf_default_rp_filter_value:·177 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
78 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·078 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
79 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·079 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
80 ······sysctl_net_ipv4_tcp_syncookies_value:·180 ······sysctl_net_ipv4_tcp_syncookies_value:·1
81 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·081 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
82 ······sysctl_net_ipv4_conf_all_log_martians_value:·182 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
83 ······sysctl_net_ipv4_conf_all_rp_filter_value:·183 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
84 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·184 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
85 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·085 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
86 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·086 ······sysctl_net_ipv4_conf_default_log_martians_value:·1
87 ······var_ssh_sysadm_login:·false87 ······var_ssh_sysadm_login:·false
 88 ······var_login_console_enabled:·true
88 ······var_auditadm_exec_content:·true89 ······var_auditadm_exec_content:·true
89 ······var_selinuxuser_execstack:·true90 ······var_selinuxuser_execstack:·true
90 ······var_mount_anyfile:·true91 ······var_mount_anyfile:·true
91 ······var_daemons_use_tcp_wrapper:·false92 ······var_cron_system_cronjob_use_shares:·false
92 ······var_cron_can_relabel:·false93 ······var_cron_can_relabel:·false
 94 ······var_guest_exec_content:·true
 95 ······var_secure_mode:·false
93 ······var_user_exec_content:·true96 ······var_user_exec_content:·true
94 ······var_deny_ptrace:·false97 ······var_deny_ptrace:·false
95 ······var_guest_exec_content:·true 
96 ······var_xserver_object_manager:·false98 ······var_xserver_object_manager:·false
97 ······var_xdm_sysadm_login:·false99 ······var_xdm_sysadm_login:·false
 100 ······var_sysadm_exec_content:·true
98 ······var_selinuxuser_mysql_connect_enabled:·false101 ······var_selinuxuser_mysql_connect_enabled:·false
99 ······var_xguest_mount_media:·true102 ······var_selinuxuser_udp_server:·false
100 ······var_secure_mode:·false 
101 ······var_ssh_keysign:·false103 ······var_ssh_keysign:·false
102 ······var_staff_exec_content:·true104 ······var_staff_exec_content:·true
 105 ······var_gpg_web_anon_write:·false
103 ······var_xserver_execmem:·false106 ······var_xserver_execmem:·false
104 ······var_secure_mode_insmod:·false107 ······var_cron_userdomain_transition:·true
 108 ······var_xguest_mount_media:·true
105 ······var_selinuxuser_rw_noexattrfile:·true109 ······var_selinuxuser_rw_noexattrfile:·true
106 ······var_deny_execmem:·false110 ······var_deny_execmem:·false
107 ······var_ssh_chroot_rw_homedirs:·false111 ······var_ssh_chroot_rw_homedirs:·false
108 ······var_logging_syslogd_can_sendmail:·false 
109 ······var_abrt_anon_write:·false112 ······var_abrt_anon_write:·false
110 ······var_cron_userdomain_transition:·true113 ······var_kerberos_enabled:·true
111 ······var_logging_syslogd_use_tty:·true114 ······var_logging_syslogd_use_tty:·true
112 ······var_login_console_enabled:·true 
113 ······var_abrt_handle_event:·false115 ······var_abrt_handle_event:·false
 116 ······var_mock_enable_homedirs:·false
 117 ······var_secure_mode_insmod:·false
114 ······var_unconfined_login:·true118 ······var_unconfined_login:·true
 119 ······var_logging_syslogd_can_sendmail:·false
115 ······var_selinuxuser_postgresql_connect_enabled:·false120 ······var_selinuxuser_postgresql_connect_enabled:·false
 121 ······var_daemons_use_tcp_wrapper:·false
116 ······var_abrt_upload_watch_anon_write:·true122 ······var_abrt_upload_watch_anon_write:·true
117 ······var_daemons_use_tty:·false123 ······var_daemons_use_tty:·false
118 ······var_selinuxuser_tcp_server:·false124 ······var_selinuxuser_tcp_server:·false
119 ······var_selinuxuser_direct_dri_enabled:·true125 ······var_selinuxuser_direct_dri_enabled:·true
120 ······var_xdm_bind_vnc_tcp_port:·false126 ······var_xdm_bind_vnc_tcp_port:·false
121 ······var_xserver_clients_write_xshm:·false127 ······var_xserver_clients_write_xshm:·false
122 ······var_use_ecryptfs_home_dirs:·false128 ······var_use_ecryptfs_home_dirs:·false
123 ······var_mock_enable_homedirs:·false 
124 ······var_xguest_exec_content:·true129 ······var_xguest_exec_content:·true
 130 ······var_xdm_write_home:·false
 131 ······var_logadm_exec_content:·true
125 ······var_domain_fd_use:·true132 ······var_domain_fd_use:·true
126 ······var_selinuxuser_udp_server:·false 
127 ······var_mmap_low_allowed:·false133 ······var_mmap_low_allowed:·false
128 ······var_selinuxuser_share_music:·false134 ······var_selinuxuser_share_music:·false
129 ······var_selinuxuser_execmod:·true135 ······var_selinuxuser_execmod:·true
130 ······var_cron_system_cronjob_use_shares:·false 
131 ······var_logadm_exec_content:·true 
132 ······var_xguest_connect_network:·true136 ······var_xguest_connect_network:·true
133 ······var_xdm_write_home:·false 
134 ······var_sysadm_exec_content:·true 
135 ······var_xguest_use_bluetooth:·true137 ······var_xguest_use_bluetooth:·true
136 ······var_kerberos_enabled:·true138 ······var_selinuxuser_execheap:·false
137 ······var_secure_mode_policyload:·false 
138 ······var_daemons_dump_core:·false139 ······var_daemons_dump_core:·false
139 ······var_xdm_exec_bootloader:·false140 ······var_xdm_exec_bootloader:·false
140 ······var_gpg_web_anon_write:·false 
141 ······var_fips_mode:·true141 ······var_fips_mode:·true
142 ······var_polyinstantiation_enabled:·false142 ······var_polyinstantiation_enabled:·false
143 ······var_domain_kernel_load_modules:·false143 ······var_domain_kernel_load_modules:·false
144 ······var_selinuxuser_use_ssh_chroot:·false144 ······var_selinuxuser_use_ssh_chroot:·false
145 ······var_selinuxuser_ping:·true145 ······var_selinuxuser_ping:·true
146 ······var_selinuxuser_execheap:·false146 ······var_secure_mode_policyload:·false
147 ······var_secadm_exec_content:·true147 ······var_secadm_exec_content:·true
148 ······var_selinux_policy_name:·targeted148 ······var_selinux_policy_name:·targeted
149 ······var_selinux_state:·enforcing149 ······var_selinux_state:·enforcing
150 ······var_accounts_password_minlen_login_defs:·6150 ······var_accounts_password_minlen_login_defs:·6
151 ······var_accounts_password_warn_age_login_defs:·7151 ······var_accounts_password_warn_age_login_defs:·7
152 ······var_accounts_minimum_age_login_defs:·7152 ······var_accounts_minimum_age_login_defs:·7
153 ······var_accounts_maximum_age_login_defs:·60153 ······var_accounts_maximum_age_login_defs:·60
Offset 167, 22 lines modifiedOffset 167, 22 lines modified
167 ······var_password_pam_difok:·8167 ······var_password_pam_difok:·8
168 ······var_password_pam_ocredit:·-1168 ······var_password_pam_ocredit:·-1
169 ······var_password_pam_lcredit:·-1169 ······var_password_pam_lcredit:·-1
170 ······var_password_pam_ucredit:·-1170 ······var_password_pam_ucredit:·-1
171 ······var_password_pam_retry:·3171 ······var_password_pam_retry:·3
172 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.172 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
173 ······var_accounts_user_umask:·077173 ······var_accounts_user_umask:·077
 174 ······var_accounts_max_concurrent_login_sessions:·10
174 ······var_accounts_fail_delay:·4175 ······var_accounts_fail_delay:·4
175 ······var_accounts_tmout:·600176 ······var_accounts_tmout:·600
176 ······var_accounts_max_concurrent_login_sessions:·10 
177 ······var_auditd_max_log_file:·6177 ······var_auditd_max_log_file:·6
178 ······var_auditd_action_mail_acct:·root178 ······var_auditd_action_mail_acct:·root
179 ······var_auditd_space_left_action:·email 
180 ······var_auditd_admin_space_left_action:·single179 ······var_auditd_admin_space_left_action:·single
181 ······var_auditd_max_log_file_action:·rotate180 ······var_auditd_max_log_file_action:·rotate
 181 ······var_auditd_space_left_action:·email
182 ······var_removable_partition:·/dev/cdrom182 ······var_removable_partition:·/dev/cdrom
183 ······var_removable_partition:·/dev/cdrom183 ······var_removable_partition:·/dev/cdrom
184 ······var_removable_partition:·/dev/cdrom184 ······var_removable_partition:·/dev/cdrom
Max diff block lines reached; 173778/180659 bytes (96.19%) of diff not shown.
60.8 KB
./usr/share/scap-security-guide/ansible/ssg-rhel7-role-pci-dss.yml
Ordering differences only
    
Offset 43, 17 lines modifiedOffset 43, 17 lines modified
43 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000043 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
44 ······var_password_pam_minlen:·744 ······var_password_pam_minlen:·7
45 ······var_password_pam_dcredit:·-145 ······var_password_pam_dcredit:·-1
46 ······var_password_pam_lcredit:·-146 ······var_password_pam_lcredit:·-1
47 ······var_password_pam_ucredit:·-147 ······var_password_pam_ucredit:·-1
48 ······var_auditd_max_log_file:·148 ······var_auditd_max_log_file:·1
49 ······var_auditd_action_mail_acct:·admin49 ······var_auditd_action_mail_acct:·admin
50 ······var_auditd_space_left_action:·suspend 
51 ······var_auditd_admin_space_left_action:·suspend50 ······var_auditd_admin_space_left_action:·suspend
52 ······var_auditd_max_log_file_action:·rotate51 ······var_auditd_max_log_file_action:·rotate
 52 ······var_auditd_space_left_action:·suspend
53 ···tasks:53 ···tasks:
54 ····54 ····
55 ····55 ····
56 ····-·name:·Set·SSH·Idle·Timeout·Interval56 ····-·name:·Set·SSH·Idle·Timeout·Interval
57 ······lineinfile:57 ······lineinfile:
58 ········create:·yes58 ········create:·yes
59 ········dest:·/etc/ssh/sshd_config59 ········dest:·/etc/ssh/sshd_config
Offset 596, 91 lines modifiedOffset 596, 91 lines modified
596 ········-·CCE-80111-8596 ········-·CCE-80111-8
597 ········-·NIST-800-53-AC-11(a)597 ········-·NIST-800-53-AC-11(a)
598 ········-·NIST-800-171-3.1.10598 ········-·NIST-800-171-3.1.10
599 ········-·PCI-DSS-Req-8.1.8599 ········-·PCI-DSS-Req-8.1.8
600 ········-·CJIS-5.5.5600 ········-·CJIS-5.5.5
601 ········-·DISA-STIG-RHEL-07-010100601 ········-·DISA-STIG-RHEL-07-010100
602 ····602 ····
603 ····603 ····-·name:·"Implement·Blank·Screensaver"
604 ···· 
605 ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" 
606 ······ini_file:604 ······ini_file:
607 ········dest:·"/etc/dconf/db/local.d/00-security-settings"605 ········dest:·"/etc/dconf/db/local.d/00-security-settings"
608 ········section:·"org/gnome/desktop/screensaver"606 ········section:·"org/gnome/desktop/screensaver"
609 ········option:·idle-delay607 ········option:·picture-uri
610 ········value:·"{{·inactivity_timeout_value·}}"608 ········value:·string·''
611 ········create:·yes609 ········create:·yes
612 ······tags:610 ······tags:
613 ········-·dconf_gnome_screensaver_idle_delay611 ········-·dconf_gnome_screensaver_mode_blank
614 ········-·medium_severity612 ········-·unknown_severity
615 ········-·unknown_strategy613 ········-·unknown_strategy
616 ········-·low_complexity614 ········-·low_complexity
617 ········-·medium_disruption615 ········-·medium_disruption
618 ········-·CCE-80110-0616 ········-·CCE-80113-4
619 ········-·NIST-800-53-AC-11(a)617 ········-·NIST-800-53-AC-11(b)
620 ········-·NIST-800-171-3.1.10618 ········-·NIST-800-171-3.1.10
621 ········-·PCI-DSS-Req-8.1.8619 ········-·PCI-DSS-Req-8.1.8
622 ········-·CJIS-5.5.5620 ········-·CJIS-5.5.5
623 ········-·DISA-STIG-RHEL-07-010070 
624 ····621 ····
625 ····-·name:·"Prevent·user·modification·of·GNOME·idle-delay"622 ····-·name:·"Prevent·user·modification·of·GNOME·picture-uri"
626 ······lineinfile:623 ······lineinfile:
627 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock624 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock
628 ········regexp:·'^/org/gnome/desktop/screensaver/idle-delay'625 ········regexp:·'^/org/gnome/desktop/screensaver/picture-uri'
629 ········line:·'/org/gnome/desktop/screensaver/idle-delay'626 ········line:·'/org/gnome/desktop/screensaver/picture-uri'
630 ········create:·yes627 ········create:·yes
631 ······tags:628 ······tags:
632 ········-·dconf_gnome_screensaver_idle_delay629 ········-·dconf_gnome_screensaver_mode_blank
633 ········-·medium_severity630 ········-·unknown_severity
634 ········-·unknown_strategy631 ········-·unknown_strategy
635 ········-·low_complexity632 ········-·low_complexity
636 ········-·medium_disruption633 ········-·medium_disruption
637 ········-·CCE-80110-0634 ········-·CCE-80113-4
638 ········-·NIST-800-53-AC-11(a)635 ········-·NIST-800-53-AC-11(b)
639 ········-·NIST-800-171-3.1.10636 ········-·NIST-800-171-3.1.10
640 ········-·PCI-DSS-Req-8.1.8637 ········-·PCI-DSS-Req-8.1.8
641 ········-·CJIS-5.5.5638 ········-·CJIS-5.5.5
642 ········-·DISA-STIG-RHEL-07-010070 
643 ····639 ····
644 ····-·name:·"Implement·Blank·Screensaver"640 ····
 641 ····
 642 ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout"
645 ······ini_file:643 ······ini_file:
646 ········dest:·"/etc/dconf/db/local.d/00-security-settings"644 ········dest:·"/etc/dconf/db/local.d/00-security-settings"
647 ········section:·"org/gnome/desktop/screensaver"645 ········section:·"org/gnome/desktop/screensaver"
648 ········option:·picture-uri646 ········option:·idle-delay
649 ········value:·string·''647 ········value:·"{{·inactivity_timeout_value·}}"
650 ········create:·yes648 ········create:·yes
651 ······tags:649 ······tags:
652 ········-·dconf_gnome_screensaver_mode_blank650 ········-·dconf_gnome_screensaver_idle_delay
653 ········-·unknown_severity651 ········-·medium_severity
654 ········-·unknown_strategy652 ········-·unknown_strategy
655 ········-·low_complexity653 ········-·low_complexity
656 ········-·medium_disruption654 ········-·medium_disruption
657 ········-·CCE-80113-4655 ········-·CCE-80110-0
658 ········-·NIST-800-53-AC-11(b)656 ········-·NIST-800-53-AC-11(a)
659 ········-·NIST-800-171-3.1.10657 ········-·NIST-800-171-3.1.10
660 ········-·PCI-DSS-Req-8.1.8658 ········-·PCI-DSS-Req-8.1.8
661 ········-·CJIS-5.5.5659 ········-·CJIS-5.5.5
 660 ········-·DISA-STIG-RHEL-07-010070
662 ····661 ····
663 ····-·name:·"Prevent·user·modification·of·GNOME·picture-uri"662 ····-·name:·"Prevent·user·modification·of·GNOME·idle-delay"
664 ······lineinfile:663 ······lineinfile:
665 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock664 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock
666 ········regexp:·'^/org/gnome/desktop/screensaver/picture-uri'665 ········regexp:·'^/org/gnome/desktop/screensaver/idle-delay'
667 ········line:·'/org/gnome/desktop/screensaver/picture-uri'666 ········line:·'/org/gnome/desktop/screensaver/idle-delay'
668 ········create:·yes667 ········create:·yes
669 ······tags:668 ······tags:
670 ········-·dconf_gnome_screensaver_mode_blank669 ········-·dconf_gnome_screensaver_idle_delay
671 ········-·unknown_severity670 ········-·medium_severity
672 ········-·unknown_strategy671 ········-·unknown_strategy
673 ········-·low_complexity672 ········-·low_complexity
674 ········-·medium_disruption673 ········-·medium_disruption
675 ········-·CCE-80113-4674 ········-·CCE-80110-0
676 ········-·NIST-800-53-AC-11(b)675 ········-·NIST-800-53-AC-11(a)
677 ········-·NIST-800-171-3.1.10676 ········-·NIST-800-171-3.1.10
678 ········-·PCI-DSS-Req-8.1.8677 ········-·PCI-DSS-Req-8.1.8
679 ········-·CJIS-5.5.5678 ········-·CJIS-5.5.5
 679 ········-·DISA-STIG-RHEL-07-010070
680 ····680 ····
681 ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period"681 ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period"
682 ······ini_file:682 ······ini_file:
683 ········dest:·"/etc/dconf/db/local.d/00-security-settings"683 ········dest:·"/etc/dconf/db/local.d/00-security-settings"
684 ········section:·"org/gnome/desktop/screensaver"684 ········section:·"org/gnome/desktop/screensaver"
685 ········option:·lock-enabled685 ········option:·lock-enabled
686 ········value:·"true"686 ········value:·"true"
Offset 1129, 79 lines modifiedOffset 1129, 79 lines modified
1129 ········-·NIST-800-171-3.3.11129 ········-·NIST-800-171-3.3.1
1130 ········-·PCI-DSS-Req-10.7.a1130 ········-·PCI-DSS-Req-10.7.a
1131 ········-·CJIS-5.4.1.11131 ········-·CJIS-5.4.1.1
1132 ········-·DISA-STIG-RHEL-07-0303501132 ········-·DISA-STIG-RHEL-07-030350
1133 ····1133 ····
1134 ····1134 ····
1135 ····1135 ····
1136 ····-·name:·Configure·auditd·space_left·Action·on·Low·Disk·Space1136 ····-·name:·Configure·auditd·admin_space_left·Action·on·Low·Disk·Space
1137 ······lineinfile:1137 ······lineinfile:
1138 ········dest:·/etc/audit/auditd.conf1138 ········dest:·/etc/audit/auditd.conf
1139 ········line:·"space_left_action·=·{{·var_auditd_space_left_action·}}"1139 ········line:·"admin_space_left_action·=·{{·var_auditd_admin_space_left_action·}}"
1140 ········regexp:·^space_left_action*1140 ········regexp:·"^admin_space_left_action*"
Max diff block lines reached; 56742/62091 bytes (91.39%) of diff not shown.
7.01 KB
./usr/share/scap-security-guide/ansible/ssg-rhel7-role-rht-ccp.yml
Ordering differences only
    
Offset 164, 14 lines modifiedOffset 164, 39 lines modified
164 ········-·NIST-800-53-AC-2(5)164 ········-·NIST-800-53-AC-2(5)
165 ········-·NIST-800-53-SA-8165 ········-·NIST-800-53-SA-8
166 ········-·NIST-800-53-AC-12166 ········-·NIST-800-53-AC-12
167 ········-·NIST-800-171-3.1.11167 ········-·NIST-800-171-3.1.11
168 ········-·CJIS-5.5.6168 ········-·CJIS-5.5.6
169 ········-·DISA-STIG-RHEL-07-040340169 ········-·DISA-STIG-RHEL-07-040340
170 ····170 ····
 171 ····
 172 ····
 173 ····-·name:·Set·SSH·Idle·Timeout·Interval
 174 ······lineinfile:
 175 ········create:·yes
 176 ········dest:·/etc/ssh/sshd_config
 177 ········regexp:·^ClientAliveInterval
 178 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"
 179 ········validate:·sshd·-t·-f·%s
 180 ······#notify:·restart·sshd
 181 ······tags:
 182 ········-·sshd_set_idle_timeout
 183 ········-·unknown_severity
 184 ········-·restrict_strategy
 185 ········-·low_complexity
 186 ········-·low_disruption
 187 ········-·CCE-27433-2
 188 ········-·NIST-800-53-AC-2(5)
 189 ········-·NIST-800-53-SA-8(i)
 190 ········-·NIST-800-53-AC-12
 191 ········-·NIST-800-171-3.1.11
 192 ········-·PCI-DSS-Req-8.1.8
 193 ········-·CJIS-5.5.6
 194 ········-·DISA-STIG-RHEL-07-040320
 195 ····
171 ····-·name:·Enable·SSH·Warning·Banner196 ····-·name:·Enable·SSH·Warning·Banner
172 ······lineinfile:197 ······lineinfile:
173 ········create:·yes198 ········create:·yes
174 ········dest:·/etc/ssh/sshd_config199 ········dest:·/etc/ssh/sshd_config
175 ········regexp:·^Banner200 ········regexp:·^Banner
176 ········line:·Banner·/etc/issue201 ········line:·Banner·/etc/issue
177 ········validate:·sshd·-t·-f·%s202 ········validate:·sshd·-t·-f·%s
Offset 187, 33 lines modifiedOffset 212, 14 lines modified
187 ········-·NIST-800-53-AC-8(c)(1)212 ········-·NIST-800-53-AC-8(c)(1)
188 ········-·NIST-800-53-AC-8(c)(2)213 ········-·NIST-800-53-AC-8(c)(2)
189 ········-·NIST-800-53-AC-8(c)(3)214 ········-·NIST-800-53-AC-8(c)(3)
190 ········-·NIST-800-171-3.1.9215 ········-·NIST-800-171-3.1.9
191 ········-·CJIS-5.5.6216 ········-·CJIS-5.5.6
192 ········-·DISA-STIG-RHEL-07-040170217 ········-·DISA-STIG-RHEL-07-040170
193 ····218 ····
194 ····-·name:·Do·Not·Allow·SSH·Environment·Options 
195 ······lineinfile: 
196 ········create:·yes 
197 ········dest:·/etc/ssh/sshd_config 
198 ········regexp:·^PermitUserEnvironment 
199 ········line:·PermitUserEnvironment·no 
200 ········validate:·sshd·-t·-f·%s 
201 ······tags: 
202 ········-·sshd_do_not_permit_user_env 
203 ········-·medium_severity 
204 ········-·restrict_strategy 
205 ········-·low_complexity 
206 ········-·low_disruption 
207 ········-·CCE-27363-1 
208 ········-·NIST-800-53-CM-6(b) 
209 ········-·NIST-800-171-3.1.12 
210 ········-·CJIS-5.5.6 
211 ········-·DISA-STIG-RHEL-07-010460 
212 ···· 
213 ····219 ····
214 ····-·name:·"Allow·Only·SSH·Protocol·2"220 ····-·name:·"Allow·Only·SSH·Protocol·2"
215 ······lineinfile:221 ······lineinfile:
216 ········dest:·/etc/ssh/sshd_config222 ········dest:·/etc/ssh/sshd_config
217 ········regexp:·"^Protocol·[0-9]"223 ········regexp:·"^Protocol·[0-9]"
218 ········line:·"Protocol·2"224 ········line:·"Protocol·2"
219 ········validate:·sshd·-t·-f·%s225 ········validate:·sshd·-t·-f·%s
Offset 248, 38 lines modifiedOffset 254, 32 lines modified
248 ········-·CCE-27377-1254 ········-·CCE-27377-1
249 ········-·NIST-800-53-AC-3255 ········-·NIST-800-53-AC-3
250 ········-·NIST-800-53-CM-6(a)256 ········-·NIST-800-53-CM-6(a)
251 ········-·NIST-800-171-3.1.12257 ········-·NIST-800-171-3.1.12
252 ········-·CJIS-5.5.6258 ········-·CJIS-5.5.6
253 ········-·DISA-STIG-RHEL-07-040350259 ········-·DISA-STIG-RHEL-07-040350
254 ····260 ····
255 ····261 ····-·name:·Do·Not·Allow·SSH·Environment·Options
256 ···· 
257 ····-·name:·Set·SSH·Idle·Timeout·Interval 
258 ······lineinfile:262 ······lineinfile:
259 ········create:·yes263 ········create:·yes
260 ········dest:·/etc/ssh/sshd_config264 ········dest:·/etc/ssh/sshd_config
261 ········regexp:·^ClientAliveInterval265 ········regexp:·^PermitUserEnvironment
262 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"266 ········line:·PermitUserEnvironment·no
263 ········validate:·sshd·-t·-f·%s267 ········validate:·sshd·-t·-f·%s
264 ······#notify:·restart·sshd 
265 ······tags:268 ······tags:
266 ········-·sshd_set_idle_timeout269 ········-·sshd_do_not_permit_user_env
267 ········-·unknown_severity270 ········-·medium_severity
268 ········-·restrict_strategy271 ········-·restrict_strategy
269 ········-·low_complexity272 ········-·low_complexity
270 ········-·low_disruption273 ········-·low_disruption
271 ········-·CCE-27433-2274 ········-·CCE-27363-1
272 ········-·NIST-800-53-AC-2(5)275 ········-·NIST-800-53-CM-6(b)
273 ········-·NIST-800-53-SA-8(i)276 ········-·NIST-800-171-3.1.12
274 ········-·NIST-800-53-AC-12 
275 ········-·NIST-800-171-3.1.11 
276 ········-·PCI-DSS-Req-8.1.8 
277 ········-·CJIS-5.5.6277 ········-·CJIS-5.5.6
278 ········-·DISA-STIG-RHEL-07-040320278 ········-·DISA-STIG-RHEL-07-010460
279 ····279 ····
280 ····-·name:·Use·Only·Approved·Ciphers280 ····-·name:·Use·Only·Approved·Ciphers
281 ······lineinfile:281 ······lineinfile:
282 ········create:·yes282 ········create:·yes
283 ········dest:·/etc/ssh/sshd_config283 ········dest:·/etc/ssh/sshd_config
284 ········regexp:·^Ciphers284 ········regexp:·^Ciphers
285 ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc285 ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Offset 1435, 72 lines modifiedOffset 1435, 72 lines modified
1435 ········-·low_complexity1435 ········-·low_complexity
1436 ········-·low_disruption1436 ········-·low_disruption
1437 ········-·CCE-26887-01437 ········-·CCE-26887-0
1438 ········-·NIST-800-53-AC-61438 ········-·NIST-800-53-AC-6
1439 ········-·PCI-DSS-Req-8.7.c1439 ········-·PCI-DSS-Req-8.7.c
1440 ········-·CJIS-5.5.2.21440 ········-·CJIS-5.5.2.2
1441 ····1441 ····
1442 ····-·name:·"Read·list·libraries·without·root·ownership"1442 ····-·name:·"Read·list·of·world·and·group·writable·system·executables"
1443 ······shell:·"find·-L·/usr/lib·/usr/lib64·/lib·/lib64·\\!·-user·root"1443 ······shell:·"find·/bin·/usr/bin·/usr/local/bin·/sbin·/usr/sbin·/usr/local/sbin·/usr/libexec·-perm·/022·-type·f"
1444 ······register:·libraries_not_owned_by_root1444 ······register:·world_writable_library_files
1445 ······changed_when:·False1445 ······changed_when:·False
1446 ······failed_when:·False1446 ······failed_when:·False
1447 ······check_mode:·no1447 ······check_mode:·no
1448 ······tags:1448 ······tags:
Max diff block lines reached; 2725/7023 bytes (38.80%) of diff not shown.
53.0 KB
./usr/share/scap-security-guide/ansible/ssg-rhel7-role-standard.yml
Ordering differences only
    
Offset 832, 1269 lines modifiedOffset 832, 1269 lines modified
832 ········-·CJIS-5.4.1.1832 ········-·CJIS-5.4.1.1
833 ········-·DISA-STIG-RHEL-07-030440833 ········-·DISA-STIG-RHEL-07-030440
834 ····834 ····
835 ····835 ····
836 ····#836 ····#
837 ····#·What·architecture·are·we·on?837 ····#·What·architecture·are·we·on?
838 ····#838 ····#
839 ····-·name:·Set·architecture·for·audit·fsetxattr·tasks839 ····-·name:·Set·architecture·for·audit·chown·tasks
840 ······set_fact:840 ······set_fact:
841 ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}"841 ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}"
842 ····842 ····
843 ····#843 ····#
844 ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d844 ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d
845 ····#845 ····#
846 ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules846 ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules
847 ······find:847 ······find:
848 ········paths:·"/etc/audit/rules.d"848 ········paths:·"/etc/audit/rules.d"
849 ········recurse:·no849 ········recurse:·no
850 ········contains:·"-F·key=perm_mod$"850 ········contains:·"-F·key=perm_mod$"
851 ········patterns:·"*.rules"851 ········patterns:·"*.rules"
852 ······register:·find_fsetxattr852 ······register:·find_chown
853 ····853 ····
854 ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule854 ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule
855 ······set_fact:855 ······set_fact:
856 ········all_files:·856 ········all_files:·
857 ··········-·/etc/audit/rules.d/privileged.rules857 ··········-·/etc/audit/rules.d/privileged.rules
858 ······when:·find_fsetxattr.matched·==·0858 ······when:·find_chown.matched·==·0
859 ····859 ····
860 ····-·name:·Use·matched·file·as·the·recipient·for·the·rule860 ····-·name:·Use·matched·file·as·the·recipient·for·the·rule
861 ······set_fact:861 ······set_fact:
862 ········all_files:862 ········all_files:
863 ··········-·"{{·find_fsetxattr.files·|·map(attribute='path')·|·list·|·first·}}"863 ··········-·"{{·find_chown.files·|·map(attribute='path')·|·list·|·first·}}"
864 ······when:·find_fsetxattr.matched·>·0864 ······when:·find_chown.matched·>·0
865 ····865 ····
866 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·rules.d·when·on·x86866 ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86
867 ······lineinfile:867 ······lineinfile:
868 ········path:·"{{·all_files[0]·}}"868 ········path:·"{{·all_files[0]·}}"
869 ········line:·"-a·always,exit·-F·arch=b32·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"869 ········line:·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
870 ········create:·yes870 ········create:·yes
871 ······tags:871 ······tags:
872 ········-·audit_rules_dac_modification_fsetxattr872 ········-·audit_rules_dac_modification_chown
873 ········-·unknown_severity873 ········-·unknown_severity
874 ········-·restrict_strategy874 ········-·restrict_strategy
875 ········-·low_complexity875 ········-·low_complexity
876 ········-·low_disruption876 ········-·low_disruption
877 ········-·CCE-27389-6877 ········-·CCE-27364-9
878 ········-·NIST-800-53-AC-17(7)878 ········-·NIST-800-53-AC-17(7)
879 ········-·NIST-800-53-AU-1(b)879 ········-·NIST-800-53-AU-1(b)
880 ········-·NIST-800-53-AU-2(a)880 ········-·NIST-800-53-AU-2(a)
881 ········-·NIST-800-53-AU-2(c)881 ········-·NIST-800-53-AU-2(c)
882 ········-·NIST-800-53-AU-2(d)882 ········-·NIST-800-53-AU-2(d)
883 ········-·NIST-800-53-AU-12(a)883 ········-·NIST-800-53-AU-12(a)
884 ········-·NIST-800-53-AU-12(c)884 ········-·NIST-800-53-AU-12(c)
885 ········-·NIST-800-53-IR-5885 ········-·NIST-800-53-IR-5
886 ········-·NIST-800-171-3.1.7886 ········-·NIST-800-171-3.1.7
887 ········-·PCI-DSS-Req-10.5.5887 ········-·PCI-DSS-Req-10.5.5
888 ········-·CJIS-5.4.1.1888 ········-·CJIS-5.4.1.1
889 ········-·DISA-STIG-RHEL-07-030450889 ········-·DISA-STIG-RHEL-07-030370
890 ····890 ····
891 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·rules.d·when·on·x86_64891 ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86_64
892 ······lineinfile:892 ······lineinfile:
893 ········path:·"{{·all_files[0]·}}"893 ········path:·"{{·all_files[0]·}}"
894 ········line:·"-a·always,exit·-F·arch=b64·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"894 ········line:·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
895 ········create:·yes895 ········create:·yes
896 ······when:·audit_arch·==·'b64'896 ······when:·audit_arch·==·'b64'
897 ······tags:897 ······tags:
898 ········-·audit_rules_dac_modification_fsetxattr898 ········-·audit_rules_dac_modification_chown
899 ········-·unknown_severity899 ········-·unknown_severity
900 ········-·restrict_strategy900 ········-·restrict_strategy
901 ········-·low_complexity901 ········-·low_complexity
902 ········-·low_disruption902 ········-·low_disruption
903 ········-·CCE-27389-6903 ········-·CCE-27364-9
904 ········-·NIST-800-53-AC-17(7)904 ········-·NIST-800-53-AC-17(7)
905 ········-·NIST-800-53-AU-1(b)905 ········-·NIST-800-53-AU-1(b)
906 ········-·NIST-800-53-AU-2(a)906 ········-·NIST-800-53-AU-2(a)
907 ········-·NIST-800-53-AU-2(c)907 ········-·NIST-800-53-AU-2(c)
908 ········-·NIST-800-53-AU-2(d)908 ········-·NIST-800-53-AU-2(d)
909 ········-·NIST-800-53-AU-12(a)909 ········-·NIST-800-53-AU-12(a)
910 ········-·NIST-800-53-AU-12(c)910 ········-·NIST-800-53-AU-12(c)
911 ········-·NIST-800-53-IR-5911 ········-·NIST-800-53-IR-5
912 ········-·NIST-800-171-3.1.7912 ········-·NIST-800-171-3.1.7
913 ········-·PCI-DSS-Req-10.5.5913 ········-·PCI-DSS-Req-10.5.5
914 ········-·CJIS-5.4.1.1914 ········-·CJIS-5.4.1.1
915 ········-·DISA-STIG-RHEL-07-030450915 ········-·DISA-STIG-RHEL-07-030370
916 ····#····916 ····#····
917 ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules917 ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules
918 ····#918 ····#
919 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·/etc/audit/audit.rules·when·on·x86919 ····-·name:·Inserts/replaces·the·chown·rule·in·/etc/audit/audit.rules·when·on·x86
920 ······lineinfile:920 ······lineinfile:
921 ········line:·"{{·item·}}"921 ········line:·"{{·item·}}"
922 ········state:·present922 ········state:·present
923 ········dest:·/etc/audit/audit.rules923 ········dest:·/etc/audit/audit.rules
924 ······with_items:924 ······with_items:
925 ········-·"-a·always,exit·-F·arch=b32·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"925 ········-·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
926 ······tags:926 ······tags:
927 ········-·audit_rules_dac_modification_fsetxattr927 ········-·audit_rules_dac_modification_chown
928 ········-·unknown_severity928 ········-·unknown_severity
929 ········-·restrict_strategy929 ········-·restrict_strategy
930 ········-·low_complexity930 ········-·low_complexity
931 ········-·low_disruption931 ········-·low_disruption
932 ········-·CCE-27389-6932 ········-·CCE-27364-9
933 ········-·NIST-800-53-AC-17(7)933 ········-·NIST-800-53-AC-17(7)
934 ········-·NIST-800-53-AU-1(b)934 ········-·NIST-800-53-AU-1(b)
935 ········-·NIST-800-53-AU-2(a)935 ········-·NIST-800-53-AU-2(a)
936 ········-·NIST-800-53-AU-2(c)936 ········-·NIST-800-53-AU-2(c)
937 ········-·NIST-800-53-AU-2(d)937 ········-·NIST-800-53-AU-2(d)
938 ········-·NIST-800-53-AU-12(a)938 ········-·NIST-800-53-AU-12(a)
939 ········-·NIST-800-53-AU-12(c)939 ········-·NIST-800-53-AU-12(c)
940 ········-·NIST-800-53-IR-5940 ········-·NIST-800-53-IR-5
941 ········-·NIST-800-171-3.1.7941 ········-·NIST-800-171-3.1.7
942 ········-·PCI-DSS-Req-10.5.5942 ········-·PCI-DSS-Req-10.5.5
943 ········-·CJIS-5.4.1.1943 ········-·CJIS-5.4.1.1
944 ········-·DISA-STIG-RHEL-07-030450944 ········-·DISA-STIG-RHEL-07-030370
945 ····945 ····
946 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·audit.rules·when·on·x86_64946 ····-·name:·Inserts/replaces·the·chown·rule·in·audit.rules·when·on·x86_64
947 ······lineinfile:947 ······lineinfile:
948 ········line:·"{{·item·}}"948 ········line:·"{{·item·}}"
949 ········state:·present949 ········state:·present
950 ········dest:·/etc/audit/audit.rules950 ········dest:·/etc/audit/audit.rules
951 ········create:·yes951 ········create:·yes
952 ······with_items:952 ······with_items:
953 ········-·"-a·always,exit·-F·arch=b64·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"953 ········-·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
954 ······when:·audit_arch·==·'b64'954 ······when:·audit_arch·==·'b64'
955 ······tags:955 ······tags:
956 ········-·audit_rules_dac_modification_fsetxattr956 ········-·audit_rules_dac_modification_chown
957 ········-·unknown_severity957 ········-·unknown_severity
958 ········-·restrict_strategy958 ········-·restrict_strategy
Max diff block lines reached; 48574/54119 bytes (89.75%) of diff not shown.
111 KB
./usr/share/scap-security-guide/ansible/ssg-rhel7-role-stig-rhel7-disa.yml
Ordering differences only
    
Offset 44, 18 lines modifiedOffset 44, 18 lines modified
44 ··········44 ··········
45 ···vars:45 ···vars:
46 ······sshd_idle_timeout_value:·60046 ······sshd_idle_timeout_value:·600
47 ······inactivity_timeout_value:·90047 ······inactivity_timeout_value:·900
48 ······rsyslog_remote_loghost_address:·logcollector48 ······rsyslog_remote_loghost_address:·logcollector
49 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·049 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0
50 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·050 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
51 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 
52 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·151 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
53 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 
54 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·052 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
 53 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
 54 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
55 ······var_selinux_policy_name:·targeted55 ······var_selinux_policy_name:·targeted
56 ······var_selinux_state:·enforcing56 ······var_selinux_state:·enforcing
57 ······var_accounts_minimum_age_login_defs:·157 ······var_accounts_minimum_age_login_defs:·1
58 ······var_accounts_maximum_age_login_defs:·6058 ······var_accounts_maximum_age_login_defs:·60
59 ······var_account_disable_post_pw_expiration:·059 ······var_account_disable_post_pw_expiration:·0
60 ······var_accounts_passwords_pam_faillock_deny:·360 ······var_accounts_passwords_pam_faillock_deny:·3
61 ······var_accounts_passwords_pam_faillock_unlock_time:·never61 ······var_accounts_passwords_pam_faillock_unlock_time:·never
Offset 72, 17 lines modifiedOffset 72, 17 lines modified
72 ······var_password_pam_difok:·872 ······var_password_pam_difok:·8
73 ······var_password_pam_ocredit:·-173 ······var_password_pam_ocredit:·-1
74 ······var_password_pam_lcredit:·-174 ······var_password_pam_lcredit:·-1
75 ······var_password_pam_ucredit:·-175 ······var_password_pam_ucredit:·-1
76 ······var_password_pam_retry:·376 ······var_password_pam_retry:·3
77 ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)77 ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)
78 ······var_accounts_user_umask:·07778 ······var_accounts_user_umask:·077
 79 ······var_accounts_max_concurrent_login_sessions:·10
79 ······var_accounts_fail_delay:·480 ······var_accounts_fail_delay:·4
80 ······var_accounts_tmout:·60081 ······var_accounts_tmout:·600
81 ······var_accounts_max_concurrent_login_sessions:·10 
82 ······var_auditd_action_mail_acct:·root82 ······var_auditd_action_mail_acct:·root
83 ······var_auditd_space_left_action:·email83 ······var_auditd_space_left_action:·email
84 ······var_removable_partition:·/dev/cdrom84 ······var_removable_partition:·/dev/cdrom
85 ···tasks:85 ···tasks:
86 ····-·name:·Ensure·rsh-server·is·removed86 ····-·name:·Ensure·rsh-server·is·removed
87 ······package:87 ······package:
88 ········name="{{item}}"88 ········name="{{item}}"
Offset 250, 14 lines modifiedOffset 250, 33 lines modified
250 ········-·low_disruption250 ········-·low_disruption
251 ········-·CCE-80258-7251 ········-·CCE-80258-7
252 ········-·NIST-800-53-AC-17(8)252 ········-·NIST-800-53-AC-17(8)
253 ········-·NIST-800-53-CM-7253 ········-·NIST-800-53-CM-7
254 ········-·NIST-800-53-CM-6(b)254 ········-·NIST-800-53-CM-6(b)
255 ········-·DISA-STIG-RHEL-07-021300255 ········-·DISA-STIG-RHEL-07-021300
256 ····256 ····
 257 ····-·name:·"Enable·Use·of·Strict·Mode·Checking"
 258 ······lineinfile:
 259 ········create:·yes
 260 ········dest:·/etc/ssh/sshd_config
 261 ········regexp:·(?i)^#?strictmodes
 262 ········line:·StrictModes·yes
 263 ········validate:·sshd·-t·-f·%s
 264 ······#notify:·restart·sshd
 265 ······tags:
 266 ········-·sshd_enable_strictmodes
 267 ········-·medium_severity
 268 ········-·restrict_strategy
 269 ········-·low_complexity
 270 ········-·low_disruption
 271 ········-·CCE-80222-3
 272 ········-·NIST-800-53-AC-6
 273 ········-·NIST-800-171-3.1.12
 274 ········-·DISA-STIG-RHEL-07-040450
 275 ····
257 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"276 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"
258 ······lineinfile:277 ······lineinfile:
259 ········create:·yes278 ········create:·yes
260 ········dest:·/etc/ssh/sshd_config279 ········dest:·/etc/ssh/sshd_config
261 ········regexp:·^IgnoreUserKnownHosts280 ········regexp:·^IgnoreUserKnownHosts
262 ········line:·IgnoreUserKnownHosts·yes281 ········line:·IgnoreUserKnownHosts·yes
263 ········validate:·sshd·-t·-f·%s282 ········validate:·sshd·-t·-f·%s
Offset 313, 31 lines modifiedOffset 332, 38 lines modified
313 ········-·NIST-800-53-AC-2(5)332 ········-·NIST-800-53-AC-2(5)
314 ········-·NIST-800-53-SA-8333 ········-·NIST-800-53-SA-8
315 ········-·NIST-800-53-AC-12334 ········-·NIST-800-53-AC-12
316 ········-·NIST-800-171-3.1.11335 ········-·NIST-800-171-3.1.11
317 ········-·CJIS-5.5.6336 ········-·CJIS-5.5.6
318 ········-·DISA-STIG-RHEL-07-040340337 ········-·DISA-STIG-RHEL-07-040340
319 ····338 ····
320 ····-·name:·Disable·SSH·Support·for·Rhosts·RSA·Authentication339 ····
 340 ····
 341 ····-·name:·Set·SSH·Idle·Timeout·Interval
321 ······lineinfile:342 ······lineinfile:
322 ········create:·yes343 ········create:·yes
323 ········dest:·/etc/ssh/sshd_config344 ········dest:·/etc/ssh/sshd_config
324 ········regexp:·^RhostsRSAAuthentication345 ········regexp:·^ClientAliveInterval
325 ········line:·RhostsRSAAuthentication·no346 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"
326 ········validate:·sshd·-t·-f·%s347 ········validate:·sshd·-t·-f·%s
 348 ······#notify:·restart·sshd
327 ······tags:349 ······tags:
328 ········-·sshd_disable_rhosts_rsa350 ········-·sshd_set_idle_timeout
329 ········-·medium_severity351 ········-·unknown_severity
330 ········-·restrict_strategy352 ········-·restrict_strategy
331 ········-·low_complexity353 ········-·low_complexity
332 ········-·low_disruption354 ········-·low_disruption
333 ········-·CCE-80373-4355 ········-·CCE-27433-2
334 ········-·NIST-800-53-CM-6(a)356 ········-·NIST-800-53-AC-2(5)
335 ········-·NIST-800-171-3.1.12357 ········-·NIST-800-53-SA-8(i)
336 ········-·DISA-STIG-RHEL-07-040330358 ········-·NIST-800-53-AC-12
 359 ········-·NIST-800-171-3.1.11
 360 ········-·PCI-DSS-Req-8.1.8
 361 ········-·CJIS-5.5.6
 362 ········-·DISA-STIG-RHEL-07-040320
337 ····363 ····
338 ····-·name:·Enable·SSH·Warning·Banner364 ····-·name:·Enable·SSH·Warning·Banner
339 ······lineinfile:365 ······lineinfile:
340 ········create:·yes366 ········create:·yes
341 ········dest:·/etc/ssh/sshd_config367 ········dest:·/etc/ssh/sshd_config
342 ········regexp:·^Banner368 ········regexp:·^Banner
343 ········line:·Banner·/etc/issue369 ········line:·Banner·/etc/issue
Offset 377, 33 lines modifiedOffset 403, 14 lines modified
377 ········-·NIST-800-53-IA-7403 ········-·NIST-800-53-IA-7
378 ········-·NIST-800-53-SC-13404 ········-·NIST-800-53-SC-13
379 ········-·NIST-800-171-3.1.13405 ········-·NIST-800-171-3.1.13
380 ········-·NIST-800-171-3.13.11406 ········-·NIST-800-171-3.13.11
381 ········-·NIST-800-171-3.13.8407 ········-·NIST-800-171-3.13.8
382 ········-·DISA-STIG-RHEL-07-040400408 ········-·DISA-STIG-RHEL-07-040400
383 ····409 ····
384 ····-·name:·Do·Not·Allow·SSH·Environment·Options 
385 ······lineinfile: 
386 ········create:·yes 
387 ········dest:·/etc/ssh/sshd_config 
388 ········regexp:·^PermitUserEnvironment 
389 ········line:·PermitUserEnvironment·no 
390 ········validate:·sshd·-t·-f·%s 
Max diff block lines reached; 106151/113585 bytes (93.46%) of diff not shown.
87.3 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-C2S.yml
    
Offset 43, 57 lines modifiedOffset 43, 58 lines modified
43 ··········43 ··········
44 ···vars:44 ···vars:
45 ······sshd_idle_timeout_value:·30045 ······sshd_idle_timeout_value:·300
46 ······rsyslog_remote_loghost_address:·None46 ······rsyslog_remote_loghost_address:·None
47 ······sysctl_net_ipv6_conf_default_accept_ra_value:·047 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
48 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·048 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·049 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
50 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·150 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
51 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·051 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
52 ······sysctl_net_ipv4_conf_default_rp_filter_value:·152 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
53 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·153 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
54 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·154 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
55 ······sysctl_net_ipv4_tcp_syncookies_value:·155 ······sysctl_net_ipv4_tcp_syncookies_value:·1
56 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·056 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
57 ······sysctl_net_ipv4_conf_all_log_martians_value:·057 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
58 ······sysctl_net_ipv4_conf_all_rp_filter_value:·158 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
59 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·159 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
60 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·060 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
61 ······var_selinux_policy_name:·targeted61 ······var_selinux_policy_name:·targeted
62 ······var_selinux_state:·enforcing62 ······var_selinux_state:·enforcing
63 ······var_accounts_minimum_age_login_defs:·1 
64 ······var_accounts_maximum_age_login_defs:·90 
65 ······var_accounts_password_warn_age_login_defs:·763 ······var_accounts_password_warn_age_login_defs:·7
 64 ······var_accounts_maximum_age_login_defs:·90
 65 ······var_accounts_minimum_age_login_defs:·1
66 ······var_account_disable_post_pw_expiration:·3566 ······var_account_disable_post_pw_expiration:·35
67 ······var_password_pam_unix_remember:·067 ······var_password_pam_unix_remember:·0
68 ······var_accounts_passwords_pam_faillock_deny:·368 ······var_accounts_passwords_pam_faillock_deny:·3
69 ······var_accounts_passwords_pam_faillock_unlock_time:·60480069 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
70 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000070 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
 71 ······var_removable_partition:·/dev/cdrom
 72 ······var_removable_partition:·/dev/cdrom
 73 ······var_removable_partition:·/dev/cdrom
71 ······var_auditd_max_log_file:·174 ······var_auditd_max_log_file:·1
72 ······var_auditd_action_mail_acct:·admin75 ······var_auditd_action_mail_acct:·admin
73 ······var_auditd_space_left_action:·suspend 
74 ······var_auditd_admin_space_left_action:·suspend76 ······var_auditd_admin_space_left_action:·suspend
 77 ······var_auditd_space_left_action:·suspend
75 ······var_auditd_max_log_file_action:·ignore78 ······var_auditd_max_log_file_action:·ignore
76 ······var_removable_partition:·/dev/cdrom 
77 ······var_removable_partition:·/dev/cdrom 
78 ······var_removable_partition:·/dev/cdrom 
79 ···tasks:79 ···tasks:
80 ····-·name:·Ensure·samba·is·removed80 ····-·name:·Ensure·vsftpd·is·removed
81 ······package:81 ······package:
82 ········name="{{item}}"82 ········name="{{item}}"
83 ········state=absent83 ········state=absent
84 ······with_items:84 ······with_items:
85 ········-·samba85 ········-·vsftpd
86 ······tags:86 ······tags:
87 ········-·package_samba_removed87 ········-·package_vsftpd_removed
88 ········-·unknown_severity88 ········-·unknown_severity
89 ········-·disable_strategy89 ········-·disable_strategy
90 ········-·low_complexity90 ········-·low_complexity
91 ········-·low_disruption91 ········-·low_disruption
92 ········-·CCE-27102-392 ········-·CCE-26687-4
 93 ········-·NIST-800-53-CM-7
93 ····94 ····
94 ····-·name:·Ensure·httpd·is·removed95 ····-·name:·Ensure·httpd·is·removed
95 ······package:96 ······package:
96 ········name="{{item}}"97 ········name="{{item}}"
97 ········state=absent98 ········state=absent
98 ······with_items:99 ······with_items:
99 ········-·httpd100 ········-·httpd
Offset 102, 29 lines modifiedOffset 103, 43 lines modified
102 ········-·unknown_severity103 ········-·unknown_severity
103 ········-·disable_strategy104 ········-·disable_strategy
104 ········-·low_complexity105 ········-·low_complexity
105 ········-·low_disruption106 ········-·low_disruption
106 ········-·CCE-27133-8107 ········-·CCE-27133-8
107 ········-·NIST-800-53-CM-7108 ········-·NIST-800-53-CM-7
108 ····109 ····
109 ····-·name:·Ensure·dhcp·is·removed110 ····-·name:·Ensure·bind·is·removed
110 ······package:111 ······package:
111 ········name="{{item}}"112 ········name="{{item}}"
112 ········state=absent113 ········state=absent
113 ······with_items:114 ······with_items:
114 ········-·dhcp115 ········-·bind
115 ······tags:116 ······tags:
116 ········-·package_dhcp_removed117 ········-·package_bind_removed
117 ········-·medium_severity118 ········-·unknown_severity
118 ········-·disable_strategy119 ········-·disable_strategy
119 ········-·low_complexity120 ········-·low_complexity
120 ········-·low_disruption121 ········-·low_disruption
121 ········-·CCE-27120-5122 ········-·CCE-27030-6
122 ········-·NIST-800-53-CM-7123 ········-·NIST-800-53-CM-7
123 ····124 ····
 125 ····-·name:·Ensure·samba·is·removed
 126 ······package:
 127 ········name="{{item}}"
 128 ········state=absent
 129 ······with_items:
 130 ········-·samba
 131 ······tags:
 132 ········-·package_samba_removed
 133 ········-·unknown_severity
 134 ········-·disable_strategy
 135 ········-·low_complexity
 136 ········-·low_disruption
 137 ········-·CCE-27102-3
 138 ····
124 ····-·name:·Enable·service·ntpd139 ····-·name:·Enable·service·ntpd
125 ······service:140 ······service:
126 ········name="{{item}}"141 ········name="{{item}}"
127 ········enabled="yes"142 ········enabled="yes"
128 ········state="started"143 ········state="started"
129 ······with_items:144 ······with_items:
130 ········-·ntpd145 ········-·ntpd
Offset 135, 45 lines modifiedOffset 150, 94 lines modified
135 ········-·low_complexity150 ········-·low_complexity
136 ········-·low_disruption151 ········-·low_disruption
137 ········-·CCE-27093-4152 ········-·CCE-27093-4
138 ········-·NIST-800-53-AU-8(1)153 ········-·NIST-800-53-AU-8(1)
139 ········-·PCI-DSS-Req-10.4154 ········-·PCI-DSS-Req-10.4
140 ········-·DISA-STIG-RHEL-06-000247155 ········-·DISA-STIG-RHEL-06-000247
141 ····156 ····
142 ····-·name:·Disable·service·cups157 ····-·name:·Ensure·openldap-servers·is·removed
 158 ······package:
 159 ········name="{{item}}"
 160 ········state=absent
 161 ······with_items:
 162 ········-·openldap-servers
 163 ······tags:
 164 ········-·package_openldap-servers_removed
 165 ········-·unknown_severity
 166 ········-·disable_strategy
 167 ········-·low_complexity
Max diff block lines reached; 83773/89246 bytes (93.87%) of diff not shown.
177 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-CS2.yml
    
Offset 33, 88 lines modifiedOffset 33, 75 lines modified
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······rsyslog_remote_loghost_address:·None36 ······rsyslog_remote_loghost_address:·None
37 ······sysctl_net_ipv6_conf_default_accept_ra_value:·037 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
38 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·038 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
39 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·039 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
40 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·140 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
41 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·041 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
42 ······sysctl_net_ipv4_conf_default_rp_filter_value:·142 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
43 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·143 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
44 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·144 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
45 ······sysctl_net_ipv4_tcp_syncookies_value:·145 ······sysctl_net_ipv4_tcp_syncookies_value:·1
46 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·046 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
47 ······sysctl_net_ipv4_conf_all_log_martians_value:·047 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
48 ······sysctl_net_ipv4_conf_all_rp_filter_value:·148 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
49 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·149 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
50 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·050 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
51 ······var_selinux_policy_name:·targeted51 ······var_selinux_policy_name:·targeted
52 ······var_selinux_state:·enforcing52 ······var_selinux_state:·enforcing
53 ······var_accounts_password_minlen_login_defs:·1453 ······var_accounts_password_minlen_login_defs:·14
54 ······var_accounts_minimum_age_login_defs:·1 
55 ······var_accounts_maximum_age_login_defs:·180 
56 ······var_accounts_password_warn_age_login_defs:·754 ······var_accounts_password_warn_age_login_defs:·7
 55 ······var_accounts_maximum_age_login_defs:·180
 56 ······var_accounts_minimum_age_login_defs:·1
57 ······var_account_disable_post_pw_expiration:·3557 ······var_account_disable_post_pw_expiration:·35
58 ······var_password_pam_unix_remember:·1058 ······var_password_pam_unix_remember:·10
59 ······var_accounts_passwords_pam_faillock_deny:·359 ······var_accounts_passwords_pam_faillock_deny:·3
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_user_umask:·07763 ······var_accounts_user_umask:·077
64 ······var_accounts_max_concurrent_login_sessions:·364 ······var_accounts_max_concurrent_login_sessions:·3
65 ······var_removable_partition:·/dev/cdrom65 ······var_removable_partition:·/dev/cdrom
66 ······var_removable_partition:·/dev/cdrom66 ······var_removable_partition:·/dev/cdrom
67 ······var_removable_partition:·/dev/cdrom67 ······var_removable_partition:·/dev/cdrom
68 ···tasks:68 ···tasks:
69 ····-·name:·Disable·service·smb69 ····-·name:·Disable·service·vsftpd
70 ······service:70 ······service:
71 ········name="{{item}}"71 ········name="{{item}}"
72 ········enabled="no"72 ········enabled="no"
73 ········state="stopped"73 ········state="stopped"
74 ······register:·service_result74 ······register:·service_result
75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
76 ······with_items:76 ······with_items:
77 ········-·smb77 ········-·vsftpd
78 ······tags:78 ······tags:
79 ········-·service_smb_disabled79 ········-·service_vsftpd_disabled
80 ········-·unknown_severity80 ········-·unknown_severity
81 ········-·disable_strategy81 ········-·disable_strategy
82 ········-·low_complexity82 ········-·low_complexity
83 ········-·low_disruption83 ········-·low_disruption
84 ········-·CCE-27143-784 ········-·CCE-26948-0
85 ····85 ········-·NIST-800-53-CM-7
86 ····-·name:·Check·if·/etc/samba/smb.conf·exists 
87 ······stat: 
88 ········path:·/etc/samba/smb.conf 
89 ······register:·st_smb 
90 ······tags: 
91 ········-·require_smb_client_signing 
92 ········-·unknown_severity 
93 ········-·configure_strategy 
94 ········-·low_complexity 
95 ········-·medium_disruption 
96 ········-·CCE-26328-5 
97 ········-·DISA-STIG-RHEL-06-000272 
98 ····86 ····
99 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient87 ····-·name:·Ensure·vsftpd·is·removed
100 ······lineinfile:88 ······package:
101 ········dest:·/etc/samba/smb.conf89 ········name="{{item}}"
102 ········line:·client·signing·=·mandatory90 ········state=absent
103 ········state:·present91 ······with_items:
104 ········insertafter:·[global]92 ········-·vsftpd
105 ······when:·st_smb.stat.exists 
106 ······tags:93 ······tags:
107 ········-·require_smb_client_signing94 ········-·package_vsftpd_removed
108 ········-·unknown_severity95 ········-·unknown_severity
109 ········-·configure_strategy96 ········-·disable_strategy
110 ········-·low_complexity97 ········-·low_complexity
111 ········-·medium_disruption98 ········-·low_disruption
112 ········-·CCE-26328-599 ········-·CCE-26687-4
113 ········-·DISA-STIG-RHEL-06-000272100 ········-·NIST-800-53-CM-7
114 ····101 ····
115 ····-·name:·Ensure·httpd·is·removed102 ····-·name:·Ensure·httpd·is·removed
116 ······package:103 ······package:
117 ········name="{{item}}"104 ········name="{{item}}"
118 ········state=absent105 ········state=absent
119 ······with_items:106 ······with_items:
120 ········-·httpd107 ········-·httpd
Offset 153, 45 lines modifiedOffset 140, 92 lines modified
153 ········-·unknown_severity140 ········-·unknown_severity
154 ········-·configure_strategy141 ········-·configure_strategy
155 ········-·low_complexity142 ········-·low_complexity
156 ········-·low_disruption143 ········-·low_disruption
157 ········-·CCE-27316-9144 ········-·CCE-27316-9
158 ········-·NIST-800-53-CM-7145 ········-·NIST-800-53-CM-7
159 ····146 ····
160 ····-·name:·Ensure·sendmail·is·removed147 ····-·name:·Disable·service·named
 148 ······service:
 149 ········name="{{item}}"
 150 ········enabled="no"
 151 ········state="stopped"
 152 ······register:·service_result
 153 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 154 ······with_items:
 155 ········-·named
 156 ······tags:
 157 ········-·service_named_disabled
 158 ········-·unknown_severity
 159 ········-·disable_strategy
 160 ········-·low_complexity
 161 ········-·low_disruption
 162 ········-·CCE-26873-0
 163 ········-·NIST-800-53-CM-7
 164 ····
 165 ····-·name:·Ensure·bind·is·removed
161 ······package:166 ······package:
162 ········name="{{item}}"167 ········name="{{item}}"
163 ········state=absent168 ········state=absent
164 ······with_items:169 ······with_items:
165 ········-·sendmail170 ········-·bind
166 ······tags:171 ······tags:
167 ········-·package_sendmail_removed172 ········-·package_bind_removed
168 ········-·medium_severity173 ········-·unknown_severity
169 ········-·disable_strategy174 ········-·disable_strategy
170 ········-·low_complexity175 ········-·low_complexity
Max diff block lines reached; 175955/181073 bytes (97.17%) of diff not shown.
129 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-CSCF-RHEL6-MLS.yml
    
Offset 35, 39 lines modifiedOffset 35, 72 lines modified
35 ·······assert:35 ·······assert:
36 ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')"36 ·········that:·"ansible_version.full·|·version_compare('2.3',·'>=')"
37 ·········msg:·>37 ·········msg:·>
38 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."38 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
39 ··········39 ··········
40 ···vars:40 ···vars:
41 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·041 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
42 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·142 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
43 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_rp_filter_value:·144 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
45 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·145 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
46 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·146 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
47 ······sysctl_net_ipv4_tcp_syncookies_value:·147 ······sysctl_net_ipv4_tcp_syncookies_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·048 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_all_log_martians_value:·049 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
50 ······sysctl_net_ipv4_conf_all_rp_filter_value:·150 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
51 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·151 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
52 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·052 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
53 ······var_selinux_policy_name:·mls53 ······var_selinux_policy_name:·mls
54 ······var_selinux_state:·enforcing54 ······var_selinux_state:·enforcing
55 ······var_accounts_password_minlen_login_defs:·1255 ······var_accounts_password_minlen_login_defs:·12
56 ······var_accounts_maximum_age_login_defs:·180 
57 ······var_accounts_password_warn_age_login_defs:·756 ······var_accounts_password_warn_age_login_defs:·7
 57 ······var_accounts_maximum_age_login_defs:·180
58 ······var_account_disable_post_pw_expiration:·3558 ······var_account_disable_post_pw_expiration:·35
59 ······var_password_pam_unix_remember:·059 ······var_password_pam_unix_remember:·0
60 ······var_password_pam_retry:·360 ······var_password_pam_retry:·3
61 ······var_auditd_max_log_file:·161 ······var_auditd_max_log_file:·1
62 ······var_auditd_action_mail_acct:·admin62 ······var_auditd_action_mail_acct:·admin
63 ······var_auditd_space_left_action:·suspend 
64 ······var_auditd_admin_space_left_action:·suspend63 ······var_auditd_admin_space_left_action:·suspend
 64 ······var_auditd_space_left_action:·suspend
65 ······var_auditd_max_log_file_action:·keep_logs65 ······var_auditd_max_log_file_action:·keep_logs
66 ···tasks:66 ···tasks:
 67 ····-·name:·Disable·service·vsftpd
 68 ······service:
 69 ········name="{{item}}"
 70 ········enabled="no"
 71 ········state="stopped"
 72 ······register:·service_result
 73 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 74 ······with_items:
 75 ········-·vsftpd
 76 ······tags:
 77 ········-·service_vsftpd_disabled
 78 ········-·unknown_severity
 79 ········-·disable_strategy
 80 ········-·low_complexity
 81 ········-·low_disruption
 82 ········-·CCE-26948-0
 83 ········-·NIST-800-53-CM-7
 84 ····
 85 ····-·name:·Ensure·vsftpd·is·removed
 86 ······package:
 87 ········name="{{item}}"
 88 ········state=absent
 89 ······with_items:
 90 ········-·vsftpd
 91 ······tags:
 92 ········-·package_vsftpd_removed
 93 ········-·unknown_severity
 94 ········-·disable_strategy
 95 ········-·low_complexity
 96 ········-·low_disruption
 97 ········-·CCE-26687-4
 98 ········-·NIST-800-53-CM-7
 99 ····
67 ····100 ····
68 ····-·name:·Find·/etc/httpd/conf/*·file(s)101 ····-·name:·Find·/etc/httpd/conf/*·file(s)
69 ······find:102 ······find:
70 ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}"103 ········paths:·"{{·'/etc/httpd/conf/*'·|·dirname·}}"
71 ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}"104 ········patterns:·"{{·'/etc/httpd/conf/*'·|·basename·}}"
72 ······register:·files_found105 ······register:·files_found
73 ······tags:106 ······tags:
Offset 90, 98 lines modifiedOffset 123, 116 lines modified
90 ········-·unknown_severity123 ········-·unknown_severity
91 ········-·configure_strategy124 ········-·configure_strategy
92 ········-·low_complexity125 ········-·low_complexity
93 ········-·low_disruption126 ········-·low_disruption
94 ········-·CCE-27316-9127 ········-·CCE-27316-9
95 ········-·NIST-800-53-CM-7128 ········-·NIST-800-53-CM-7
96 ····129 ····
97 ····-·name:·Ensure·sendmail·is·removed130 ····-·name:·Disable·service·named
98 ······package:131 ······service:
99 ········name="{{item}}"132 ········name="{{item}}"
100 ········state=absent133 ········enabled="no"
 134 ········state="stopped"
 135 ······register:·service_result
 136 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
101 ······with_items:137 ······with_items:
102 ········-·sendmail138 ········-·named
103 ······tags:139 ······tags:
104 ········-·package_sendmail_removed140 ········-·service_named_disabled
105 ········-·medium_severity141 ········-·unknown_severity
106 ········-·disable_strategy142 ········-·disable_strategy
107 ········-·low_complexity143 ········-·low_complexity
108 ········-·low_disruption144 ········-·low_disruption
109 ········-·CCE-27515-6145 ········-·CCE-26873-0
110 ········-·NIST-800-53-CM-7146 ········-·NIST-800-53-CM-7
111 ········-·DISA-STIG-RHEL-06-000288 
112 ····147 ····
113 ····-·name:·Ensure·dhcp·is·removed148 ····-·name:·Ensure·bind·is·removed
114 ······package:149 ······package:
115 ········name="{{item}}"150 ········name="{{item}}"
116 ········state=absent151 ········state=absent
117 ······with_items:152 ······with_items:
118 ········-·dhcp153 ········-·bind
119 ······tags:154 ······tags:
120 ········-·package_dhcp_removed155 ········-·package_bind_removed
121 ········-·medium_severity156 ········-·unknown_severity
122 ········-·disable_strategy157 ········-·disable_strategy
123 ········-·low_complexity158 ········-·low_complexity
124 ········-·low_disruption159 ········-·low_disruption
125 ········-·CCE-27120-5160 ········-·CCE-27030-6
126 ········-·NIST-800-53-CM-7161 ········-·NIST-800-53-CM-7
127 ····162 ····
128 ····-·name:·Disable·service·dhcpd163 ····-·name:·Enable·service·ntpd
129 ······service:164 ······service:
130 ········name="{{item}}"165 ········name="{{item}}"
131 ········enabled="no"166 ········enabled="yes"
132 ········state="stopped"167 ········state="started"
133 ······register:·service_result 
134 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" 
135 ······with_items:168 ······with_items:
136 ········-·dhcpd169 ········-·ntpd
137 ······tags:170 ······tags:
138 ········-·service_dhcpd_disabled171 ········-·service_ntpd_enabled
Max diff block lines reached; 127041/131888 bytes (96.32%) of diff not shown.
129 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-desktop.yml
    
Offset 34, 87 lines modifiedOffset 34, 74 lines modified
34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
35 ··········35 ··········
36 ···vars:36 ···vars:
37 ······sshd_idle_timeout_value:·30037 ······sshd_idle_timeout_value:·300
38 ······rsyslog_remote_loghost_address:·None38 ······rsyslog_remote_loghost_address:·None
39 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·039 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
40 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·040 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
41 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·141 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
42 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·042 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
43 ······sysctl_net_ipv4_conf_default_rp_filter_value:·143 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
44 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·044 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
45 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
46 ······sysctl_net_ipv4_tcp_syncookies_value:·146 ······sysctl_net_ipv4_tcp_syncookies_value:·1
47 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·047 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
48 ······sysctl_net_ipv4_conf_all_log_martians_value:·148 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
49 ······sysctl_net_ipv4_conf_all_rp_filter_value:·149 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
50 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·150 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
51 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·051 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
52 ······var_selinux_policy_name:·targeted52 ······var_selinux_policy_name:·targeted
53 ······var_selinux_state:·enforcing53 ······var_selinux_state:·enforcing
54 ······var_accounts_password_minlen_login_defs:·1554 ······var_accounts_password_minlen_login_defs:·15
55 ······var_accounts_minimum_age_login_defs:·7 
56 ······var_accounts_maximum_age_login_defs:·90 
57 ······var_accounts_password_warn_age_login_defs:·755 ······var_accounts_password_warn_age_login_defs:·7
 56 ······var_accounts_maximum_age_login_defs:·90
 57 ······var_accounts_minimum_age_login_defs:·7
58 ······var_password_pam_unix_remember:·558 ······var_password_pam_unix_remember:·5
59 ······var_accounts_passwords_pam_faillock_deny:·359 ······var_accounts_passwords_pam_faillock_deny:·3
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_tmout:·60063 ······var_accounts_tmout:·600
 64 ······var_removable_partition:·/dev/cdrom
64 ······var_auditd_max_log_file:·665 ······var_auditd_max_log_file:·6
65 ······var_auditd_admin_space_left_action:·single66 ······var_auditd_admin_space_left_action:·single
66 ······var_auditd_max_log_file_action:·rotate67 ······var_auditd_max_log_file_action:·rotate
67 ······var_removable_partition:·/dev/cdrom 
68 ···tasks:68 ···tasks:
69 ····-·name:·Disable·service·smb69 ····-·name:·Disable·service·vsftpd
70 ······service:70 ······service:
71 ········name="{{item}}"71 ········name="{{item}}"
72 ········enabled="no"72 ········enabled="no"
73 ········state="stopped"73 ········state="stopped"
74 ······register:·service_result74 ······register:·service_result
75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"75 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
76 ······with_items:76 ······with_items:
77 ········-·smb77 ········-·vsftpd
78 ······tags:78 ······tags:
79 ········-·service_smb_disabled79 ········-·service_vsftpd_disabled
80 ········-·unknown_severity80 ········-·unknown_severity
81 ········-·disable_strategy81 ········-·disable_strategy
82 ········-·low_complexity82 ········-·low_complexity
83 ········-·low_disruption83 ········-·low_disruption
84 ········-·CCE-27143-784 ········-·CCE-26948-0
85 ····85 ········-·NIST-800-53-CM-7
86 ····-·name:·Check·if·/etc/samba/smb.conf·exists 
87 ······stat: 
88 ········path:·/etc/samba/smb.conf 
89 ······register:·st_smb 
90 ······tags: 
91 ········-·require_smb_client_signing 
92 ········-·unknown_severity 
93 ········-·configure_strategy 
94 ········-·low_complexity 
95 ········-·medium_disruption 
96 ········-·CCE-26328-5 
97 ········-·DISA-STIG-RHEL-06-000272 
98 ····86 ····
99 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient87 ····-·name:·Ensure·vsftpd·is·removed
100 ······lineinfile:88 ······package:
101 ········dest:·/etc/samba/smb.conf89 ········name="{{item}}"
102 ········line:·client·signing·=·mandatory90 ········state=absent
103 ········state:·present91 ······with_items:
104 ········insertafter:·[global]92 ········-·vsftpd
105 ······when:·st_smb.stat.exists 
106 ······tags:93 ······tags:
107 ········-·require_smb_client_signing94 ········-·package_vsftpd_removed
108 ········-·unknown_severity95 ········-·unknown_severity
109 ········-·configure_strategy96 ········-·disable_strategy
110 ········-·low_complexity97 ········-·low_complexity
111 ········-·medium_disruption98 ········-·low_disruption
112 ········-·CCE-26328-599 ········-·CCE-26687-4
113 ········-·DISA-STIG-RHEL-06-000272100 ········-·NIST-800-53-CM-7
114 ····101 ····
115 ····-·name:·Disable·service·httpd102 ····-·name:·Disable·service·httpd
116 ······service:103 ······service:
117 ········name="{{item}}"104 ········name="{{item}}"
118 ········enabled="no"105 ········enabled="no"
119 ········state="stopped"106 ········state="stopped"
120 ······register:·service_result107 ······register:·service_result
Offset 141, 46 lines modifiedOffset 128, 92 lines modified
141 ········-·unknown_severity128 ········-·unknown_severity
142 ········-·disable_strategy129 ········-·disable_strategy
143 ········-·low_complexity130 ········-·low_complexity
144 ········-·low_disruption131 ········-·low_disruption
145 ········-·CCE-27133-8132 ········-·CCE-27133-8
146 ········-·NIST-800-53-CM-7133 ········-·NIST-800-53-CM-7
147 ····134 ····
148 ····-·name:·Ensure·dhcp·is·removed135 ····-·name:·Disable·service·named
 136 ······service:
 137 ········name="{{item}}"
 138 ········enabled="no"
 139 ········state="stopped"
 140 ······register:·service_result
 141 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 142 ······with_items:
 143 ········-·named
 144 ······tags:
 145 ········-·service_named_disabled
 146 ········-·unknown_severity
 147 ········-·disable_strategy
 148 ········-·low_complexity
 149 ········-·low_disruption
 150 ········-·CCE-26873-0
 151 ········-·NIST-800-53-CM-7
 152 ····
 153 ····-·name:·Ensure·bind·is·removed
149 ······package:154 ······package:
150 ········name="{{item}}"155 ········name="{{item}}"
151 ········state=absent156 ········state=absent
152 ······with_items:157 ······with_items:
153 ········-·dhcp158 ········-·bind
154 ······tags:159 ······tags:
155 ········-·package_dhcp_removed160 ········-·package_bind_removed
156 ········-·medium_severity161 ········-·unknown_severity
157 ········-·disable_strategy162 ········-·disable_strategy
158 ········-·low_complexity163 ········-·low_complexity
Max diff block lines reached; 126640/131720 bytes (96.14%) of diff not shown.
147 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-fisma-medium-rhel6-server.yml
    
Offset 32, 46 lines modifiedOffset 32, 46 lines modified
32 ·········msg:·>32 ·········msg:·>
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······sysctl_net_ipv6_conf_default_accept_ra_value:·036 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
37 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·037 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
38 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·038 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
39 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·139 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
40 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·040 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
41 ······sysctl_net_ipv4_conf_default_rp_filter_value:·141 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
42 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·142 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
43 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·143 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
44 ······sysctl_net_ipv4_tcp_syncookies_value:·144 ······sysctl_net_ipv4_tcp_syncookies_value:·1
45 ······sysctl_net_ipv4_conf_all_log_martians_value:·045 ······sysctl_net_ipv4_conf_all_log_martians_value:·0
46 ······sysctl_net_ipv4_conf_all_rp_filter_value:·146 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
47 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·147 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·048 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
49 ······var_selinux_policy_name:·targeted49 ······var_selinux_policy_name:·targeted
50 ······var_selinux_state:·enforcing50 ······var_selinux_state:·enforcing
51 ······var_accounts_password_minlen_login_defs:·1251 ······var_accounts_password_minlen_login_defs:·12
52 ······var_accounts_minimum_age_login_defs:·1 
53 ······var_accounts_maximum_age_login_defs:·120 
54 ······var_accounts_password_warn_age_login_defs:·752 ······var_accounts_password_warn_age_login_defs:·7
 53 ······var_accounts_maximum_age_login_defs:·120
 54 ······var_accounts_minimum_age_login_defs:·1
55 ······var_account_disable_post_pw_expiration:·9055 ······var_account_disable_post_pw_expiration:·90
56 ······var_password_pam_unix_remember:·2456 ······var_password_pam_unix_remember:·24
57 ······var_accounts_passwords_pam_faillock_deny:·357 ······var_accounts_passwords_pam_faillock_deny:·3
58 ······var_accounts_passwords_pam_faillock_unlock_time:·60480058 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
59 ······var_accounts_passwords_pam_faillock_fail_interval:·90059 ······var_accounts_passwords_pam_faillock_fail_interval:·900
60 ······var_password_pam_maxrepeat:·360 ······var_password_pam_maxrepeat:·3
61 ······var_password_pam_retry:·361 ······var_password_pam_retry:·3
62 ······var_accounts_max_concurrent_login_sessions:·162 ······var_accounts_max_concurrent_login_sessions:·1
 63 ······var_removable_partition:·/dev/cdrom
 64 ······var_removable_partition:·/dev/cdrom
 65 ······var_removable_partition:·/dev/cdrom
63 ······var_auditd_max_log_file:·166 ······var_auditd_max_log_file:·1
64 ······var_auditd_action_mail_acct:·admin67 ······var_auditd_action_mail_acct:·admin
65 ······var_auditd_space_left_action:·suspend 
66 ······var_auditd_admin_space_left_action:·halt68 ······var_auditd_admin_space_left_action:·halt
 69 ······var_auditd_space_left_action:·suspend
67 ······var_auditd_max_log_file_action:·ignore70 ······var_auditd_max_log_file_action:·ignore
68 ······var_removable_partition:·/dev/cdrom 
69 ······var_removable_partition:·/dev/cdrom 
70 ······var_removable_partition:·/dev/cdrom 
71 ···tasks:71 ···tasks:
72 ····-·name:·Enable·service·ntpd72 ····-·name:·Enable·service·ntpd
73 ······service:73 ······service:
74 ········name="{{item}}"74 ········name="{{item}}"
75 ········enabled="yes"75 ········enabled="yes"
76 ········state="started"76 ········state="started"
77 ······with_items:77 ······with_items:
Offset 83, 14 lines modifiedOffset 83, 50 lines modified
83 ········-·low_complexity83 ········-·low_complexity
84 ········-·low_disruption84 ········-·low_disruption
85 ········-·CCE-27093-485 ········-·CCE-27093-4
86 ········-·NIST-800-53-AU-8(1)86 ········-·NIST-800-53-AU-8(1)
87 ········-·PCI-DSS-Req-10.487 ········-·PCI-DSS-Req-10.4
88 ········-·DISA-STIG-RHEL-06-00024788 ········-·DISA-STIG-RHEL-06-000247
89 ····89 ····
 90 ····-·name:·Enable·service·crond
 91 ······service:
 92 ········name="{{item}}"
 93 ········enabled="yes"
 94 ········state="started"
 95 ······with_items:
 96 ········-·crond
 97 ······tags:
 98 ········-·service_crond_enabled
 99 ········-·medium_severity
 100 ········-·enable_strategy
 101 ········-·low_complexity
 102 ········-·low_disruption
 103 ········-·CCE-27070-2
 104 ········-·NIST-800-53-CM-7
 105 ········-·DISA-STIG-RHEL-06-000224
 106 ····
 107 ····-·name:·Disable·service·atd
 108 ······service:
 109 ········name="{{item}}"
 110 ········enabled="no"
 111 ········state="stopped"
 112 ······register:·service_result
 113 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 114 ······with_items:
 115 ········-·atd
 116 ······tags:
 117 ········-·service_atd_disabled
 118 ········-·unknown_severity
 119 ········-·disable_strategy
 120 ········-·low_complexity
 121 ········-·low_disruption
 122 ········-·CCE-27249-2
 123 ········-·NIST-800-53-CM-7
 124 ········-·DISA-STIG-RHEL-06-000262
 125 ····
90 ····-·name:·Ensure·rsh·is·removed126 ····-·name:·Ensure·rsh·is·removed
91 ······package:127 ······package:
92 ········name="{{item}}"128 ········name="{{item}}"
93 ········state=absent129 ········state=absent
94 ······with_items:130 ······with_items:
95 ········-·rsh131 ········-·rsh
96 ······tags:132 ······tags:
Offset 243, 50 lines modifiedOffset 279, 14 lines modified
243 ········-·disable_strategy279 ········-·disable_strategy
244 ········-·low_complexity280 ········-·low_complexity
245 ········-·low_disruption281 ········-·low_disruption
246 ········-·CCE-27005-8282 ········-·CCE-27005-8
247 ········-·NIST-800-53-CM-7283 ········-·NIST-800-53-CM-7
248 ········-·DISA-STIG-RHEL-06-000204284 ········-·DISA-STIG-RHEL-06-000204
249 ····285 ····
250 ····-·name:·Enable·service·crond 
251 ······service: 
252 ········name="{{item}}" 
253 ········enabled="yes" 
254 ········state="started" 
255 ······with_items: 
256 ········-·crond 
257 ······tags: 
258 ········-·service_crond_enabled 
259 ········-·medium_severity 
260 ········-·enable_strategy 
261 ········-·low_complexity 
262 ········-·low_disruption 
263 ········-·CCE-27070-2 
264 ········-·NIST-800-53-CM-7 
265 ········-·DISA-STIG-RHEL-06-000224 
Max diff block lines reached; 145514/150564 bytes (96.65%) of diff not shown.
117 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-ftp-server.yml
    
Offset 33, 42 lines modifiedOffset 33, 57 lines modified
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······sshd_idle_timeout_value:·30036 ······sshd_idle_timeout_value:·300
37 ······rsyslog_remote_loghost_address:·None37 ······rsyslog_remote_loghost_address:·None
38 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·038 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
39 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·039 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
40 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·140 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
41 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·041 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
42 ······sysctl_net_ipv4_conf_default_rp_filter_value:·142 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
43 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·043 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·044 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
45 ······sysctl_net_ipv4_tcp_syncookies_value:·145 ······sysctl_net_ipv4_tcp_syncookies_value:·1
46 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·046 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
47 ······sysctl_net_ipv4_conf_all_log_martians_value:·147 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
48 ······sysctl_net_ipv4_conf_all_rp_filter_value:·148 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
49 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·149 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
50 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·050 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
51 ······var_selinux_policy_name:·targeted51 ······var_selinux_policy_name:·targeted
52 ······var_selinux_state:·enforcing52 ······var_selinux_state:·enforcing
53 ······var_accounts_password_minlen_login_defs:·1553 ······var_accounts_password_minlen_login_defs:·15
54 ······var_accounts_minimum_age_login_defs:·7 
55 ······var_accounts_maximum_age_login_defs:·90 
56 ······var_accounts_password_warn_age_login_defs:·754 ······var_accounts_password_warn_age_login_defs:·7
 55 ······var_accounts_maximum_age_login_defs:·90
 56 ······var_accounts_minimum_age_login_defs:·7
57 ······var_password_pam_unix_remember:·557 ······var_password_pam_unix_remember:·5
58 ······var_accounts_passwords_pam_faillock_deny:·358 ······var_accounts_passwords_pam_faillock_deny:·3
59 ······var_accounts_passwords_pam_faillock_unlock_time:·60480059 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
60 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000060 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
61 ······var_password_pam_retry:·361 ······var_password_pam_retry:·3
62 ······var_accounts_tmout:·60062 ······var_accounts_tmout:·600
 63 ······var_removable_partition:·/dev/cdrom
63 ······var_auditd_max_log_file:·664 ······var_auditd_max_log_file:·6
64 ······var_auditd_admin_space_left_action:·single65 ······var_auditd_admin_space_left_action:·single
65 ······var_auditd_max_log_file_action:·rotate66 ······var_auditd_max_log_file_action:·rotate
66 ······var_removable_partition:·/dev/cdrom 
67 ···tasks:67 ···tasks:
 68 ····-·name:·Ensure·vsftpd·is·installed
 69 ······package:
 70 ········name="{{item}}"
 71 ········state=present
 72 ······with_items:
 73 ········-·vsftpd
 74 ······tags:
 75 ········-·package_vsftpd_installed
 76 ········-·unknown_severity
 77 ········-·enable_strategy
 78 ········-·low_complexity
 79 ········-·low_disruption
 80 ········-·CCE-27187-4
 81 ········-·NIST-800-53-CM-7
 82 ····
68 ····-·name:·Check·if·/etc/samba/smb.conf·exists83 ····-·name:·Check·if·/etc/samba/smb.conf·exists
69 ······stat:84 ······stat:
70 ········path:·/etc/samba/smb.conf85 ········path:·/etc/samba/smb.conf
71 ······register:·st_smb86 ······register:·st_smb
72 ······tags:87 ······tags:
73 ········-·require_smb_client_signing88 ········-·require_smb_client_signing
74 ········-·unknown_severity89 ········-·unknown_severity
Offset 108, 14 lines modifiedOffset 123, 81 lines modified
108 ········-·low_complexity123 ········-·low_complexity
109 ········-·low_disruption124 ········-·low_disruption
110 ········-·CCE-27093-4125 ········-·CCE-27093-4
111 ········-·NIST-800-53-AU-8(1)126 ········-·NIST-800-53-AU-8(1)
112 ········-·PCI-DSS-Req-10.4127 ········-·PCI-DSS-Req-10.4
113 ········-·DISA-STIG-RHEL-06-000247128 ········-·DISA-STIG-RHEL-06-000247
114 ····129 ····
 130 ····-·name:·Ensure·openldap-servers·is·removed
 131 ······package:
 132 ········name="{{item}}"
 133 ········state=absent
 134 ······with_items:
 135 ········-·openldap-servers
 136 ······tags:
 137 ········-·package_openldap-servers_removed
 138 ········-·unknown_severity
 139 ········-·disable_strategy
 140 ········-·low_complexity
 141 ········-·low_disruption
 142 ········-·CCE-26858-1
 143 ········-·NIST-800-53-CM-7
 144 ········-·DISA-STIG-RHEL-06-000256
 145 ····
 146 ····-·name:·Enable·service·crond
 147 ······service:
 148 ········name="{{item}}"
 149 ········enabled="yes"
 150 ········state="started"
 151 ······with_items:
 152 ········-·crond
 153 ······tags:
 154 ········-·service_crond_enabled
 155 ········-·medium_severity
 156 ········-·enable_strategy
 157 ········-·low_complexity
 158 ········-·low_disruption
 159 ········-·CCE-27070-2
 160 ········-·NIST-800-53-CM-7
 161 ········-·DISA-STIG-RHEL-06-000224
 162 ····
 163 ····-·name:·Disable·service·atd
 164 ······service:
 165 ········name="{{item}}"
 166 ········enabled="no"
 167 ········state="stopped"
 168 ······register:·service_result
 169 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 170 ······with_items:
 171 ········-·atd
 172 ······tags:
 173 ········-·service_atd_disabled
 174 ········-·unknown_severity
 175 ········-·disable_strategy
 176 ········-·low_complexity
 177 ········-·low_disruption
 178 ········-·CCE-27249-2
 179 ········-·NIST-800-53-CM-7
 180 ········-·DISA-STIG-RHEL-06-000262
 181 ····
 182 ····-·name:·Ensure·xorg-x11-server-common·is·removed
 183 ······package:
 184 ········name="{{item}}"
 185 ········state=absent
 186 ······with_items:
 187 ········-·xorg-x11-server-common
 188 ······tags:
Max diff block lines reached; 114906/119566 bytes (96.10%) of diff not shown.
171 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-nist-CL-IL-AL.yml
    
Offset 38, 75 lines modifiedOffset 38, 61 lines modified
38 ··········38 ··········
39 ···vars:39 ···vars:
40 ······sshd_idle_timeout_value:·30040 ······sshd_idle_timeout_value:·300
41 ······rsyslog_remote_loghost_address:·None41 ······rsyslog_remote_loghost_address:·None
42 ······sysctl_net_ipv6_conf_default_accept_ra_value:·042 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
43 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·044 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
45 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·145 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
46 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·046 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
47 ······sysctl_net_ipv4_conf_default_rp_filter_value:·147 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
48 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·148 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·1
49 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·149 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
50 ······sysctl_net_ipv4_tcp_syncookies_value:·150 ······sysctl_net_ipv4_tcp_syncookies_value:·1
51 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·051 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
52 ······sysctl_net_ipv4_conf_all_log_martians_value:·152 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
53 ······sysctl_net_ipv4_conf_all_rp_filter_value:·153 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
54 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·154 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
55 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·055 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·1
56 ······var_selinux_policy_name:·targeted56 ······var_selinux_policy_name:·targeted
57 ······var_selinux_state:·enforcing57 ······var_selinux_state:·enforcing
58 ······var_accounts_password_minlen_login_defs:·1558 ······var_accounts_password_minlen_login_defs:·15
59 ······var_accounts_minimum_age_login_defs:·7 
60 ······var_accounts_maximum_age_login_defs:·90 
61 ······var_accounts_password_warn_age_login_defs:·759 ······var_accounts_password_warn_age_login_defs:·7
 60 ······var_accounts_maximum_age_login_defs:·90
 61 ······var_accounts_minimum_age_login_defs:·7
62 ······var_account_disable_post_pw_expiration:·4062 ······var_account_disable_post_pw_expiration:·40
63 ······var_password_pam_unix_remember:·563 ······var_password_pam_unix_remember:·5
64 ······var_accounts_passwords_pam_faillock_deny:·364 ······var_accounts_passwords_pam_faillock_deny:·3
65 ······var_accounts_passwords_pam_faillock_unlock_time:·90065 ······var_accounts_passwords_pam_faillock_unlock_time:·900
66 ······var_accounts_passwords_pam_faillock_fail_interval:·90066 ······var_accounts_passwords_pam_faillock_fail_interval:·900
67 ······var_password_pam_retry:·367 ······var_password_pam_retry:·3
68 ······var_accounts_tmout:·60068 ······var_accounts_tmout:·600
 69 ······var_removable_partition:·/dev/cdrom
 70 ······var_removable_partition:·/dev/cdrom
 71 ······var_removable_partition:·/dev/cdrom
69 ······var_auditd_max_log_file:·672 ······var_auditd_max_log_file:·6
70 ······var_auditd_action_mail_acct:·admin73 ······var_auditd_action_mail_acct:·admin
71 ······var_auditd_space_left_action:·suspend 
72 ······var_auditd_admin_space_left_action:·single74 ······var_auditd_admin_space_left_action:·single
 75 ······var_auditd_space_left_action:·suspend
73 ······var_auditd_max_log_file_action:·rotate76 ······var_auditd_max_log_file_action:·rotate
74 ······var_removable_partition:·/dev/cdrom 
75 ······var_removable_partition:·/dev/cdrom 
76 ······var_removable_partition:·/dev/cdrom 
77 ···tasks:77 ···tasks:
78 ····-·name:·Check·if·/etc/samba/smb.conf·exists78 ····-·name:·Ensure·vsftpd·is·removed
79 ······stat:79 ······package:
80 ········path:·/etc/samba/smb.conf80 ········name="{{item}}"
81 ······register:·st_smb81 ········state=absent
82 ······tags:82 ······with_items:
83 ········-·require_smb_client_signing83 ········-·vsftpd
84 ········-·unknown_severity 
85 ········-·configure_strategy 
86 ········-·low_complexity 
87 ········-·medium_disruption 
88 ········-·CCE-26328-5 
89 ········-·DISA-STIG-RHEL-06-000272 
90 ···· 
91 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient 
92 ······lineinfile: 
93 ········dest:·/etc/samba/smb.conf 
94 ········line:·client·signing·=·mandatory 
95 ········state:·present 
96 ········insertafter:·[global] 
97 ······when:·st_smb.stat.exists 
98 ······tags:84 ······tags:
99 ········-·require_smb_client_signing85 ········-·package_vsftpd_removed
100 ········-·unknown_severity86 ········-·unknown_severity
101 ········-·configure_strategy87 ········-·disable_strategy
102 ········-·low_complexity88 ········-·low_complexity
103 ········-·medium_disruption89 ········-·low_disruption
104 ········-·CCE-26328-590 ········-·CCE-26687-4
105 ········-·DISA-STIG-RHEL-06-00027291 ········-·NIST-800-53-CM-7
106 ····92 ····
107 ····-·name:·Disable·service·httpd93 ····-·name:·Disable·service·httpd
108 ······service:94 ······service:
109 ········name="{{item}}"95 ········name="{{item}}"
110 ········enabled="no"96 ········enabled="no"
111 ········state="stopped"97 ········state="stopped"
112 ······register:·service_result98 ······register:·service_result
Offset 133, 62 lines modifiedOffset 119, 75 lines modified
133 ········-·unknown_severity119 ········-·unknown_severity
134 ········-·disable_strategy120 ········-·disable_strategy
135 ········-·low_complexity121 ········-·low_complexity
136 ········-·low_disruption122 ········-·low_disruption
137 ········-·CCE-27133-8123 ········-·CCE-27133-8
138 ········-·NIST-800-53-CM-7124 ········-·NIST-800-53-CM-7
139 ····125 ····
140 ····-·name:·Ensure·sendmail·is·removed126 ····-·name:·Disable·service·named
141 ······package:127 ······service:
142 ········name="{{item}}"128 ········name="{{item}}"
143 ········state=absent129 ········enabled="no"
 130 ········state="stopped"
 131 ······register:·service_result
 132 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
144 ······with_items:133 ······with_items:
145 ········-·sendmail134 ········-·named
146 ······tags:135 ······tags:
147 ········-·package_sendmail_removed136 ········-·service_named_disabled
148 ········-·medium_severity137 ········-·unknown_severity
149 ········-·disable_strategy138 ········-·disable_strategy
150 ········-·low_complexity139 ········-·low_complexity
151 ········-·low_disruption140 ········-·low_disruption
152 ········-·CCE-27515-6141 ········-·CCE-26873-0
153 ········-·NIST-800-53-CM-7142 ········-·NIST-800-53-CM-7
154 ········-·DISA-STIG-RHEL-06-000288 
155 ····143 ····
156 ····-·name:·Ensure·dhcp·is·removed144 ····-·name:·Ensure·bind·is·removed
157 ······package:145 ······package:
158 ········name="{{item}}"146 ········name="{{item}}"
159 ········state=absent147 ········state=absent
160 ······with_items:148 ······with_items:
161 ········-·dhcp149 ········-·bind
162 ······tags:150 ······tags:
163 ········-·package_dhcp_removed151 ········-·package_bind_removed
164 ········-·medium_severity152 ········-·unknown_severity
165 ········-·disable_strategy153 ········-·disable_strategy
166 ········-·low_complexity154 ········-·low_complexity
167 ········-·low_disruption155 ········-·low_disruption
168 ········-·CCE-27120-5156 ········-·CCE-27030-6
169 ········-·NIST-800-53-CM-7157 ········-·NIST-800-53-CM-7
170 ····158 ····
171 ····-·name:·Disable·service·dhcpd159 ····-·name:·Check·if·/etc/samba/smb.conf·exists
172 ······service:160 ······stat:
173 ········name="{{item}}"161 ········path:·/etc/samba/smb.conf
174 ········enabled="no"162 ······register:·st_smb
Max diff block lines reached; 169386/174902 bytes (96.85%) of diff not shown.
89.4 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-pci-dss.yml
    
Offset 39, 16 lines modifiedOffset 39, 16 lines modified
39 ······var_password_pam_unix_remember:·439 ······var_password_pam_unix_remember:·4
40 ······var_accounts_passwords_pam_faillock_deny:·640 ······var_accounts_passwords_pam_faillock_deny:·6
41 ······var_accounts_passwords_pam_faillock_unlock_time:·180041 ······var_accounts_passwords_pam_faillock_unlock_time:·1800
42 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000042 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
43 ······var_password_pam_minlen:·743 ······var_password_pam_minlen:·7
44 ······var_auditd_max_log_file:·144 ······var_auditd_max_log_file:·1
45 ······var_auditd_action_mail_acct:·admin45 ······var_auditd_action_mail_acct:·admin
46 ······var_auditd_space_left_action:·suspend 
47 ······var_auditd_admin_space_left_action:·suspend46 ······var_auditd_admin_space_left_action:·suspend
 47 ······var_auditd_space_left_action:·suspend
48 ······var_auditd_max_log_file_action:·ignore48 ······var_auditd_max_log_file_action:·ignore
49 ···tasks:49 ···tasks:
50 ····-·name:·Enable·service·ntpd50 ····-·name:·Enable·service·ntpd
51 ······service:51 ······service:
52 ········name="{{item}}"52 ········name="{{item}}"
53 ········enabled="yes"53 ········enabled="yes"
54 ········state="started"54 ········state="started"
Offset 83, 439 lines modifiedOffset 83, 14 lines modified
83 ········-·low_disruption83 ········-·low_disruption
84 ········-·CCE-26919-184 ········-·CCE-26919-1
85 ········-·NIST-800-53-AC-2(5)85 ········-·NIST-800-53-AC-2(5)
86 ········-·NIST-800-53-SA-886 ········-·NIST-800-53-SA-8
87 ········-·PCI-DSS-Req-8.1.887 ········-·PCI-DSS-Req-8.1.8
88 ········-·DISA-STIG-RHEL-06-00023088 ········-·DISA-STIG-RHEL-06-000230
89 ····89 ····
90 ····-·name:·"Read·list·of·files·with·incorrect·permissions" 
91 ······shell:·"rpm·-Va·|·grep·'^.M'·|·cut·-d·'·'·-f5-·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" 
92 ······register:·files_with_incorrect_permissions 
93 ······failed_when:·False 
94 ······changed_when:·False 
95 ······check_mode:·no 
96 ······tags: 
97 ········-·rpm_verify_permissions 
98 ········-·unknown_severity 
99 ········-·restrict_strategy 
100 ········-·high_complexity 
101 ········-·medium_disruption 
102 ········-·CCE-26731-0 
103 ········-·NIST-800-53-AC-6 
104 ········-·NIST-800-53-CM-6(d) 
105 ········-·NIST-800-53-SI-7 
106 ········-·PCI-DSS-Req-11.5 
107 ········-·DISA-STIG-RHEL-06-000518 
108 ···· 
109 ····-·name:·"Correct·file·permissions·with·RPM" 
110 ······shell:·"rpm·--setperms·$(rpm·-qf·'{{item}}')" 
111 ······with_items:·"{{·files_with_incorrect_permissions.stdout_lines·}}" 
112 ······when:·files_with_incorrect_permissions.stdout_lines·|·length·>·0 
113 ······tags: 
114 ········-·rpm_verify_permissions 
115 ········-·unknown_severity 
116 ········-·restrict_strategy 
117 ········-·high_complexity 
118 ········-·medium_disruption 
119 ········-·CCE-26731-0 
120 ········-·NIST-800-53-AC-6 
121 ········-·NIST-800-53-CM-6(d) 
122 ········-·NIST-800-53-SI-7 
123 ········-·PCI-DSS-Req-11.5 
124 ········-·DISA-STIG-RHEL-06-000518 
125 ···· 
126 ····-·name:·"Set·fact:·Package·manager·reinstall·command·(dnf)" 
127 ······set_fact: 
128 ········package_manager_reinstall_cmd:·dnf·reinstall·-y 
129 ······when:·ansible_distribution·==·"Fedora" 
130 ······tags: 
131 ········-·rpm_verify_hashes 
132 ········-·unknown_severity 
133 ········-·unknown_strategy 
134 ········-·high_complexity 
135 ········-·medium_disruption 
136 ········-·CCE-27223-7 
137 ········-·NIST-800-53-CM-6(d) 
138 ········-·NIST-800-53-SI-7 
139 ········-·PCI-DSS-Req-11.5 
140 ········-·DISA-STIG-RHEL-06-000519 
141 ···· 
142 ····-·name:·"Set·fact:·Package·manager·reinstall·command·(yum)" 
143 ······set_fact: 
144 ········package_manager_reinstall_cmd:·yum·reinstall·-y 
145 ······when:·ansible_distribution·==·"RedHat"·or·ansible_distribution·==·"OracleLinux" 
146 ······tags: 
147 ········-·rpm_verify_hashes 
148 ········-·unknown_severity 
149 ········-·unknown_strategy 
150 ········-·high_complexity 
151 ········-·medium_disruption 
152 ········-·CCE-27223-7 
153 ········-·NIST-800-53-CM-6(d) 
154 ········-·NIST-800-53-SI-7 
155 ········-·PCI-DSS-Req-11.5 
156 ········-·DISA-STIG-RHEL-06-000519 
157 ···· 
158 ····-·name:·"Read·files·with·incorrect·hash" 
159 ······shell:·"rpm·-Va·|·grep·-E·'^..5.*·/(bin|sbin|lib|lib64|usr)/'·|·sed·-r·'s;^.*\\s+(.+);\\1;g'" 
160 ······register:·files_with_incorrect_hash 
161 ······changed_when:·False 
162 ······when:·package_manager_reinstall_cmd·is·defined 
163 ······check_mode:·no 
164 ······tags: 
165 ········-·rpm_verify_hashes 
166 ········-·unknown_severity 
167 ········-·unknown_strategy 
168 ········-·high_complexity 
169 ········-·medium_disruption 
170 ········-·CCE-27223-7 
171 ········-·NIST-800-53-CM-6(d) 
172 ········-·NIST-800-53-SI-7 
173 ········-·PCI-DSS-Req-11.5 
174 ········-·DISA-STIG-RHEL-06-000519 
175 ···· 
176 ····-·name:·"Reinstall·packages·of·files·with·incorrect·hash" 
177 ······shell:·"{{package_manager_reinstall_cmd}}·$(rpm·-qf·'{{item}}')" 
178 ······with_items:·"{{·files_with_incorrect_hash.stdout_lines·}}" 
179 ······when:·package_manager_reinstall_cmd·is·defined·and·(files_with_incorrect_hash.stdout_lines·|·length·>·0) 
180 ······tags: 
181 ········-·rpm_verify_hashes 
182 ········-·unknown_severity 
183 ········-·unknown_strategy 
184 ········-·high_complexity 
185 ········-·medium_disruption 
186 ········-·CCE-27223-7 
187 ········-·NIST-800-53-CM-6(d) 
188 ········-·NIST-800-53-SI-7 
189 ········-·PCI-DSS-Req-11.5 
190 ········-·DISA-STIG-RHEL-06-000519 
191 ···· 
Max diff block lines reached; 77885/91457 bytes (85.16%) of diff not shown.
26.4 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-rht-ccp.yml
    
Offset 33, 23 lines modifiedOffset 33, 42 lines modified
33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."33 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
34 ··········34 ··········
35 ···vars:35 ···vars:
36 ······sshd_idle_timeout_value:·30036 ······sshd_idle_timeout_value:·300
37 ······var_selinux_policy_name:·targeted37 ······var_selinux_policy_name:·targeted
38 ······var_selinux_state:·enforcing38 ······var_selinux_state:·enforcing
39 ······var_accounts_password_minlen_login_defs:·639 ······var_accounts_password_minlen_login_defs:·6
40 ······var_accounts_minimum_age_login_defs:·7 
41 ······var_accounts_maximum_age_login_defs:·120 
42 ······var_accounts_password_warn_age_login_defs:·740 ······var_accounts_password_warn_age_login_defs:·7
 41 ······var_accounts_maximum_age_login_defs:·120
 42 ······var_accounts_minimum_age_login_defs:·7
43 ······var_password_pam_unix_remember:·543 ······var_password_pam_unix_remember:·5
44 ······var_accounts_passwords_pam_faillock_deny:·544 ······var_accounts_passwords_pam_faillock_deny:·5
45 ······var_accounts_passwords_pam_faillock_unlock_time:·60480045 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
46 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000046 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
47 ······var_password_pam_retry:·347 ······var_password_pam_retry:·3
48 ···tasks:48 ···tasks:
 49 ····-·name:·Disable·service·atd
 50 ······service:
 51 ········name="{{item}}"
 52 ········enabled="no"
 53 ········state="stopped"
 54 ······register:·service_result
 55 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 56 ······with_items:
 57 ········-·atd
 58 ······tags:
 59 ········-·service_atd_disabled
 60 ········-·unknown_severity
 61 ········-·disable_strategy
 62 ········-·low_complexity
 63 ········-·low_disruption
 64 ········-·CCE-27249-2
 65 ········-·NIST-800-53-CM-7
 66 ········-·DISA-STIG-RHEL-06-000262
 67 ····
49 ····-·name:·Ensure·rsh-server·is·removed68 ····-·name:·Ensure·rsh-server·is·removed
50 ······package:69 ······package:
51 ········name="{{item}}"70 ········name="{{item}}"
52 ········state=absent71 ········state=absent
53 ······with_items:72 ······with_items:
54 ········-·rsh-server73 ········-·rsh-server
55 ······tags:74 ······tags:
Offset 179, 33 lines modifiedOffset 198, 14 lines modified
179 ········-·disable_strategy198 ········-·disable_strategy
180 ········-·low_complexity199 ········-·low_complexity
181 ········-·low_disruption200 ········-·low_disruption
182 ········-·CCE-27005-8201 ········-·CCE-27005-8
183 ········-·NIST-800-53-CM-7202 ········-·NIST-800-53-CM-7
184 ········-·DISA-STIG-RHEL-06-000204203 ········-·DISA-STIG-RHEL-06-000204
185 ····204 ····
186 ····-·name:·Disable·service·atd 
187 ······service: 
188 ········name="{{item}}" 
189 ········enabled="no" 
190 ········state="stopped" 
191 ······register:·service_result 
192 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)" 
193 ······with_items: 
194 ········-·atd 
195 ······tags: 
196 ········-·service_atd_disabled 
197 ········-·unknown_severity 
198 ········-·disable_strategy 
199 ········-·low_complexity 
200 ········-·low_disruption 
201 ········-·CCE-27249-2 
202 ········-·NIST-800-53-CM-7 
203 ········-·DISA-STIG-RHEL-06-000262 
204 ···· 
205 ····-·name:·Disable·service·rdisc205 ····-·name:·Disable·service·rdisc
206 ······service:206 ······service:
207 ········name="{{item}}"207 ········name="{{item}}"
208 ········enabled="no"208 ········enabled="no"
209 ········state="stopped"209 ········state="stopped"
210 ······register:·service_result210 ······register:·service_result
211 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"211 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 294, 14 lines modifiedOffset 294, 33 lines modified
294 ········-·disable_strategy294 ········-·disable_strategy
295 ········-·low_complexity295 ········-·low_complexity
296 ········-·low_disruption296 ········-·low_disruption
297 ········-·CCE-27256-7297 ········-·CCE-27256-7
298 ········-·NIST-800-53-CM-7298 ········-·NIST-800-53-CM-7
299 ········-·DISA-STIG-RHEL-06-000265299 ········-·DISA-STIG-RHEL-06-000265
300 ····300 ····
 301 ····-·name:·Disable·service·avahi-daemon
 302 ······service:
 303 ········name="{{item}}"
 304 ········enabled="no"
 305 ········state="stopped"
 306 ······register:·service_result
 307 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 308 ······with_items:
 309 ········-·avahi-daemon
 310 ······tags:
 311 ········-·service_avahi-daemon_disabled
 312 ········-·unknown_severity
 313 ········-·disable_strategy
 314 ········-·low_complexity
 315 ········-·low_disruption
 316 ········-·CCE-27087-6
 317 ········-·NIST-800-53-CM-7
 318 ········-·DISA-STIG-RHEL-06-000246
 319 ····
301 ····-·name:·Disable·SSH·Support·for·.rhosts·Files320 ····-·name:·Disable·SSH·Support·for·.rhosts·Files
302 ······lineinfile:321 ······lineinfile:
303 ········create:·yes322 ········create:·yes
304 ········dest:·/etc/ssh/sshd_config323 ········dest:·/etc/ssh/sshd_config
305 ········regexp:·^IgnoreRhosts324 ········regexp:·^IgnoreRhosts
306 ········line:·IgnoreRhosts·yes325 ········line:·IgnoreRhosts·yes
307 ········validate:·sshd·-t·-f·%s326 ········validate:·sshd·-t·-f·%s
Offset 440, 33 lines modifiedOffset 459, 14 lines modified
440 ········-·restrict_strategy459 ········-·restrict_strategy
441 ········-·low_complexity460 ········-·low_complexity
442 ········-·low_disruption461 ········-·low_disruption
443 ········-·CCE-27091-8462 ········-·CCE-27091-8
444 ········-·NIST-800-53-AC-3463 ········-·NIST-800-53-AC-3
445 ········-·DISA-STIG-RHEL-06-000236464 ········-·DISA-STIG-RHEL-06-000236
446 ····465 ····
447 ···· 
448 ····-·name:·"Allow·Only·SSH·Protocol·2" 
449 ······lineinfile: 
450 ········dest:·/etc/ssh/sshd_config 
451 ········regexp:·"^Protocol·[0-9]" 
452 ········line:·"Protocol·2" 
453 ········validate:·sshd·-t·-f·%s 
Max diff block lines reached; 22675/26927 bytes (84.21%) of diff not shown.
116 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-server.yml
    
Offset 34, 41 lines modifiedOffset 34, 41 lines modified
34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."34 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
35 ··········35 ··········
36 ···vars:36 ···vars:
37 ······sshd_idle_timeout_value:·30037 ······sshd_idle_timeout_value:·300
38 ······rsyslog_remote_loghost_address:·None38 ······rsyslog_remote_loghost_address:·None
39 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·039 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
40 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·040 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
41 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·141 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
42 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·042 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
43 ······sysctl_net_ipv4_conf_default_rp_filter_value:·143 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
44 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·044 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
45 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
46 ······sysctl_net_ipv4_tcp_syncookies_value:·146 ······sysctl_net_ipv4_tcp_syncookies_value:·1
47 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·047 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
48 ······sysctl_net_ipv4_conf_all_log_martians_value:·148 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
49 ······sysctl_net_ipv4_conf_all_rp_filter_value:·149 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
50 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·150 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
51 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·051 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
52 ······var_selinux_policy_name:·targeted52 ······var_selinux_policy_name:·targeted
53 ······var_selinux_state:·enforcing53 ······var_selinux_state:·enforcing
54 ······var_accounts_password_minlen_login_defs:·1554 ······var_accounts_password_minlen_login_defs:·15
55 ······var_accounts_minimum_age_login_defs:·7 
56 ······var_accounts_maximum_age_login_defs:·90 
57 ······var_accounts_password_warn_age_login_defs:·755 ······var_accounts_password_warn_age_login_defs:·7
 56 ······var_accounts_maximum_age_login_defs:·90
 57 ······var_accounts_minimum_age_login_defs:·7
58 ······var_password_pam_unix_remember:·558 ······var_password_pam_unix_remember:·5
59 ······var_accounts_passwords_pam_faillock_deny:·359 ······var_accounts_passwords_pam_faillock_deny:·3
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_tmout:·60063 ······var_accounts_tmout:·600
 64 ······var_removable_partition:·/dev/cdrom
64 ······var_auditd_max_log_file:·665 ······var_auditd_max_log_file:·6
65 ······var_auditd_admin_space_left_action:·single66 ······var_auditd_admin_space_left_action:·single
66 ······var_auditd_max_log_file_action:·rotate67 ······var_auditd_max_log_file_action:·rotate
67 ······var_removable_partition:·/dev/cdrom 
68 ···tasks:68 ···tasks:
69 ····-·name:·Check·if·/etc/samba/smb.conf·exists69 ····-·name:·Check·if·/etc/samba/smb.conf·exists
70 ······stat:70 ······stat:
71 ········path:·/etc/samba/smb.conf71 ········path:·/etc/samba/smb.conf
72 ······register:·st_smb72 ······register:·st_smb
73 ······tags:73 ······tags:
74 ········-·require_smb_client_signing74 ········-·require_smb_client_signing
Offset 109, 14 lines modifiedOffset 109, 81 lines modified
109 ········-·low_complexity109 ········-·low_complexity
110 ········-·low_disruption110 ········-·low_disruption
111 ········-·CCE-27093-4111 ········-·CCE-27093-4
112 ········-·NIST-800-53-AU-8(1)112 ········-·NIST-800-53-AU-8(1)
113 ········-·PCI-DSS-Req-10.4113 ········-·PCI-DSS-Req-10.4
114 ········-·DISA-STIG-RHEL-06-000247114 ········-·DISA-STIG-RHEL-06-000247
115 ····115 ····
 116 ····-·name:·Ensure·openldap-servers·is·removed
 117 ······package:
 118 ········name="{{item}}"
 119 ········state=absent
 120 ······with_items:
 121 ········-·openldap-servers
 122 ······tags:
 123 ········-·package_openldap-servers_removed
 124 ········-·unknown_severity
 125 ········-·disable_strategy
 126 ········-·low_complexity
 127 ········-·low_disruption
 128 ········-·CCE-26858-1
 129 ········-·NIST-800-53-CM-7
 130 ········-·DISA-STIG-RHEL-06-000256
 131 ····
 132 ····-·name:·Enable·service·crond
 133 ······service:
 134 ········name="{{item}}"
 135 ········enabled="yes"
 136 ········state="started"
 137 ······with_items:
 138 ········-·crond
 139 ······tags:
 140 ········-·service_crond_enabled
 141 ········-·medium_severity
 142 ········-·enable_strategy
 143 ········-·low_complexity
 144 ········-·low_disruption
 145 ········-·CCE-27070-2
 146 ········-·NIST-800-53-CM-7
 147 ········-·DISA-STIG-RHEL-06-000224
 148 ····
 149 ····-·name:·Disable·service·atd
 150 ······service:
 151 ········name="{{item}}"
 152 ········enabled="no"
 153 ········state="stopped"
 154 ······register:·service_result
 155 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 156 ······with_items:
 157 ········-·atd
 158 ······tags:
 159 ········-·service_atd_disabled
 160 ········-·unknown_severity
 161 ········-·disable_strategy
 162 ········-·low_complexity
 163 ········-·low_disruption
 164 ········-·CCE-27249-2
 165 ········-·NIST-800-53-CM-7
 166 ········-·DISA-STIG-RHEL-06-000262
 167 ····
 168 ····-·name:·Ensure·xorg-x11-server-common·is·removed
 169 ······package:
 170 ········name="{{item}}"
 171 ········state=absent
 172 ······with_items:
 173 ········-·xorg-x11-server-common
 174 ······tags:
 175 ········-·package_xorg-x11-server-common_removed
 176 ········-·unknown_severity
 177 ········-·disable_strategy
 178 ········-·low_complexity
 179 ········-·low_disruption
 180 ········-·CCE-27198-1
 181 ········-·DISA-STIG-RHEL-06-000291
 182 ····
116 ····-·name:·Ensure·rsh-server·is·removed183 ····-·name:·Ensure·rsh-server·is·removed
117 ······package:184 ······package:
118 ········name="{{item}}"185 ········name="{{item}}"
119 ········state=absent186 ········state=absent
120 ······with_items:187 ······with_items:
121 ········-·rsh-server188 ········-·rsh-server
122 ······tags:189 ······tags:
Offset 271, 65 lines modifiedOffset 338, 14 lines modified
Max diff block lines reached; 114413/118830 bytes (96.28%) of diff not shown.
115 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-standard.yml
    
Offset 35, 41 lines modifiedOffset 35, 41 lines modified
35 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."35 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
36 ··········36 ··········
37 ···vars:37 ···vars:
38 ······sshd_idle_timeout_value:·30038 ······sshd_idle_timeout_value:·300
39 ······rsyslog_remote_loghost_address:·None39 ······rsyslog_remote_loghost_address:·None
40 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·040 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
41 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·041 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
42 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·142 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
43 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_rp_filter_value:·144 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
45 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
46 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·046 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
47 ······sysctl_net_ipv4_tcp_syncookies_value:·147 ······sysctl_net_ipv4_tcp_syncookies_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·048 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_all_log_martians_value:·149 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
50 ······sysctl_net_ipv4_conf_all_rp_filter_value:·150 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
51 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·151 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
52 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·052 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
53 ······var_selinux_policy_name:·targeted53 ······var_selinux_policy_name:·targeted
54 ······var_selinux_state:·enforcing54 ······var_selinux_state:·enforcing
55 ······var_accounts_password_minlen_login_defs:·1555 ······var_accounts_password_minlen_login_defs:·15
56 ······var_accounts_minimum_age_login_defs:·7 
57 ······var_accounts_maximum_age_login_defs:·90 
58 ······var_accounts_password_warn_age_login_defs:·756 ······var_accounts_password_warn_age_login_defs:·7
 57 ······var_accounts_maximum_age_login_defs:·90
 58 ······var_accounts_minimum_age_login_defs:·7
59 ······var_password_pam_unix_remember:·559 ······var_password_pam_unix_remember:·5
60 ······var_accounts_passwords_pam_faillock_deny:·360 ······var_accounts_passwords_pam_faillock_deny:·3
61 ······var_accounts_passwords_pam_faillock_unlock_time:·60480061 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
62 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000062 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
63 ······var_password_pam_retry:·363 ······var_password_pam_retry:·3
64 ······var_accounts_tmout:·60064 ······var_accounts_tmout:·600
 65 ······var_removable_partition:·/dev/cdrom
65 ······var_auditd_max_log_file:·666 ······var_auditd_max_log_file:·6
66 ······var_auditd_admin_space_left_action:·single67 ······var_auditd_admin_space_left_action:·single
67 ······var_auditd_max_log_file_action:·rotate68 ······var_auditd_max_log_file_action:·rotate
68 ······var_removable_partition:·/dev/cdrom 
69 ···tasks:69 ···tasks:
70 ····-·name:·Check·if·/etc/samba/smb.conf·exists70 ····-·name:·Check·if·/etc/samba/smb.conf·exists
71 ······stat:71 ······stat:
72 ········path:·/etc/samba/smb.conf72 ········path:·/etc/samba/smb.conf
73 ······register:·st_smb73 ······register:·st_smb
74 ······tags:74 ······tags:
75 ········-·require_smb_client_signing75 ········-·require_smb_client_signing
Offset 110, 14 lines modifiedOffset 110, 66 lines modified
110 ········-·low_complexity110 ········-·low_complexity
111 ········-·low_disruption111 ········-·low_disruption
112 ········-·CCE-27093-4112 ········-·CCE-27093-4
113 ········-·NIST-800-53-AU-8(1)113 ········-·NIST-800-53-AU-8(1)
114 ········-·PCI-DSS-Req-10.4114 ········-·PCI-DSS-Req-10.4
115 ········-·DISA-STIG-RHEL-06-000247115 ········-·DISA-STIG-RHEL-06-000247
116 ····116 ····
 117 ····-·name:·Ensure·openldap-servers·is·removed
 118 ······package:
 119 ········name="{{item}}"
 120 ········state=absent
 121 ······with_items:
 122 ········-·openldap-servers
 123 ······tags:
 124 ········-·package_openldap-servers_removed
 125 ········-·unknown_severity
 126 ········-·disable_strategy
 127 ········-·low_complexity
 128 ········-·low_disruption
 129 ········-·CCE-26858-1
 130 ········-·NIST-800-53-CM-7
 131 ········-·DISA-STIG-RHEL-06-000256
 132 ····
 133 ····-·name:·Enable·service·crond
 134 ······service:
 135 ········name="{{item}}"
 136 ········enabled="yes"
 137 ········state="started"
 138 ······with_items:
 139 ········-·crond
 140 ······tags:
 141 ········-·service_crond_enabled
 142 ········-·medium_severity
 143 ········-·enable_strategy
 144 ········-·low_complexity
 145 ········-·low_disruption
 146 ········-·CCE-27070-2
 147 ········-·NIST-800-53-CM-7
 148 ········-·DISA-STIG-RHEL-06-000224
 149 ····
 150 ····-·name:·Disable·service·atd
 151 ······service:
 152 ········name="{{item}}"
 153 ········enabled="no"
 154 ········state="stopped"
 155 ······register:·service_result
 156 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 157 ······with_items:
 158 ········-·atd
 159 ······tags:
 160 ········-·service_atd_disabled
 161 ········-·unknown_severity
 162 ········-·disable_strategy
 163 ········-·low_complexity
 164 ········-·low_disruption
 165 ········-·CCE-27249-2
 166 ········-·NIST-800-53-CM-7
 167 ········-·DISA-STIG-RHEL-06-000262
 168 ····
117 ····-·name:·Ensure·rsh-server·is·removed169 ····-·name:·Ensure·rsh-server·is·removed
118 ······package:170 ······package:
119 ········name="{{item}}"171 ········name="{{item}}"
120 ········state=absent172 ········state=absent
121 ······with_items:173 ······with_items:
122 ········-·rsh-server174 ········-·rsh-server
123 ······tags:175 ······tags:
Offset 272, 50 lines modifiedOffset 324, 14 lines modified
272 ········-·disable_strategy324 ········-·disable_strategy
273 ········-·low_complexity325 ········-·low_complexity
274 ········-·low_disruption326 ········-·low_disruption
275 ········-·CCE-27005-8327 ········-·CCE-27005-8
276 ········-·NIST-800-53-CM-7328 ········-·NIST-800-53-CM-7
277 ········-·DISA-STIG-RHEL-06-000204329 ········-·DISA-STIG-RHEL-06-000204
278 ····330 ····
279 ····-·name:·Enable·service·crond 
280 ······service: 
281 ········name="{{item}}" 
282 ········enabled="yes" 
283 ········state="started" 
284 ······with_items: 
285 ········-·crond 
286 ······tags: 
Max diff block lines reached; 112847/118018 bytes (95.62%) of diff not shown.
148 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-stig-rhel6-disa.yml
    
Offset 40, 49 lines modifiedOffset 40, 49 lines modified
40 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."40 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
41 ··········41 ··········
42 ···vars:42 ···vars:
43 ······sshd_idle_timeout_value:·90043 ······sshd_idle_timeout_value:·900
44 ······rsyslog_remote_loghost_address:·None44 ······rsyslog_remote_loghost_address:·None
45 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·045 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
46 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·046 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
47 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·147 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
48 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·048 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_default_rp_filter_value:·149 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
50 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·050 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
51 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·051 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
52 ······sysctl_net_ipv4_tcp_syncookies_value:·152 ······sysctl_net_ipv4_tcp_syncookies_value:·1
53 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·053 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
54 ······sysctl_net_ipv4_conf_all_log_martians_value:·154 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
55 ······sysctl_net_ipv4_conf_all_rp_filter_value:·155 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
56 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·156 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
57 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·057 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
58 ······var_selinux_policy_name:·targeted58 ······var_selinux_policy_name:·targeted
59 ······var_selinux_state:·enforcing59 ······var_selinux_state:·enforcing
60 ······var_accounts_password_minlen_login_defs:·1560 ······var_accounts_password_minlen_login_defs:·15
61 ······var_accounts_minimum_age_login_defs:·1 
62 ······var_accounts_maximum_age_login_defs:·60 
63 ······var_accounts_password_warn_age_login_defs:·761 ······var_accounts_password_warn_age_login_defs:·7
 62 ······var_accounts_maximum_age_login_defs:·60
 63 ······var_accounts_minimum_age_login_defs:·1
64 ······var_account_disable_post_pw_expiration:·3564 ······var_account_disable_post_pw_expiration:·35
65 ······var_password_pam_unix_remember:·565 ······var_password_pam_unix_remember:·5
66 ······var_accounts_passwords_pam_faillock_deny:·366 ······var_accounts_passwords_pam_faillock_deny:·3
67 ······var_accounts_passwords_pam_faillock_unlock_time:·60480067 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
68 ······var_accounts_passwords_pam_faillock_fail_interval:·90068 ······var_accounts_passwords_pam_faillock_fail_interval:·900
69 ······var_password_pam_maxrepeat:·369 ······var_password_pam_maxrepeat:·3
70 ······var_password_pam_retry:·370 ······var_password_pam_retry:·3
71 ······var_accounts_user_umask:·07771 ······var_accounts_user_umask:·077
72 ······var_accounts_tmout:·60072 ······var_accounts_tmout:·600
73 ······var_accounts_max_concurrent_login_sessions:·1073 ······var_accounts_max_concurrent_login_sessions:·10
 74 ······var_removable_partition:·/dev/cdrom
 75 ······var_removable_partition:·/dev/cdrom
 76 ······var_removable_partition:·/dev/cdrom
74 ······var_auditd_max_log_file:·677 ······var_auditd_max_log_file:·6
75 ······var_auditd_action_mail_acct:·admin78 ······var_auditd_action_mail_acct:·admin
76 ······var_auditd_space_left_action:·suspend 
77 ······var_auditd_admin_space_left_action:·single79 ······var_auditd_admin_space_left_action:·single
 80 ······var_auditd_space_left_action:·suspend
78 ······var_auditd_max_log_file_action:·rotate81 ······var_auditd_max_log_file_action:·rotate
79 ······var_removable_partition:·/dev/cdrom 
80 ······var_removable_partition:·/dev/cdrom 
81 ······var_removable_partition:·/dev/cdrom 
82 ···tasks:82 ···tasks:
83 ····-·name:·Check·if·/etc/samba/smb.conf·exists83 ····-·name:·Check·if·/etc/samba/smb.conf·exists
84 ······stat:84 ······stat:
85 ········path:·/etc/samba/smb.conf85 ········path:·/etc/samba/smb.conf
86 ······register:·st_smb86 ······register:·st_smb
87 ······tags:87 ······tags:
88 ········-·require_smb_client_signing88 ········-·require_smb_client_signing
Offset 105, 63 lines modifiedOffset 105, 98 lines modified
105 ········-·unknown_severity105 ········-·unknown_severity
106 ········-·configure_strategy106 ········-·configure_strategy
107 ········-·low_complexity107 ········-·low_complexity
108 ········-·medium_disruption108 ········-·medium_disruption
109 ········-·CCE-26328-5109 ········-·CCE-26328-5
110 ········-·DISA-STIG-RHEL-06-000272110 ········-·DISA-STIG-RHEL-06-000272
111 ····111 ····
112 ····-·name:·Ensure·sendmail·is·removed112 ····-·name:·Enable·service·ntpd
 113 ······service:
 114 ········name="{{item}}"
 115 ········enabled="yes"
 116 ········state="started"
 117 ······with_items:
 118 ········-·ntpd
 119 ······tags:
 120 ········-·service_ntpd_enabled
 121 ········-·medium_severity
 122 ········-·enable_strategy
 123 ········-·low_complexity
 124 ········-·low_disruption
 125 ········-·CCE-27093-4
 126 ········-·NIST-800-53-AU-8(1)
 127 ········-·PCI-DSS-Req-10.4
 128 ········-·DISA-STIG-RHEL-06-000247
 129 ····
 130 ····-·name:·Ensure·openldap-servers·is·removed
113 ······package:131 ······package:
114 ········name="{{item}}"132 ········name="{{item}}"
115 ········state=absent133 ········state=absent
116 ······with_items:134 ······with_items:
117 ········-·sendmail135 ········-·openldap-servers
118 ······tags:136 ······tags:
119 ········-·package_sendmail_removed137 ········-·package_openldap-servers_removed
120 ········-·medium_severity138 ········-·unknown_severity
121 ········-·disable_strategy139 ········-·disable_strategy
122 ········-·low_complexity140 ········-·low_complexity
123 ········-·low_disruption141 ········-·low_disruption
124 ········-·CCE-27515-6142 ········-·CCE-26858-1
125 ········-·NIST-800-53-CM-7143 ········-·NIST-800-53-CM-7
126 ········-·DISA-STIG-RHEL-06-000288144 ········-·DISA-STIG-RHEL-06-000256
127 ····145 ····
128 ····-·name:·Enable·service·postfix146 ····-·name:·Enable·service·crond
129 ······service:147 ······service:
130 ········name="{{item}}"148 ········name="{{item}}"
131 ········enabled="yes"149 ········enabled="yes"
132 ········state="started"150 ········state="started"
133 ······with_items:151 ······with_items:
134 ········-·postfix152 ········-·crond
135 ······tags:153 ······tags:
136 ········-·service_postfix_enabled154 ········-·service_crond_enabled
137 ········-·unknown_severity155 ········-·medium_severity
138 ········-·enable_strategy156 ········-·enable_strategy
139 ········-·low_complexity157 ········-·low_complexity
140 ········-·low_disruption158 ········-·low_disruption
141 ········-·CCE-26325-1159 ········-·CCE-27070-2
142 ········-·DISA-STIG-RHEL-06-000287160 ········-·NIST-800-53-CM-7
 161 ········-·DISA-STIG-RHEL-06-000224
143 ····162 ····
144 ····-·name:·Enable·service·ntpd163 ····-·name:·Disable·service·atd
145 ······service:164 ······service:
146 ········name="{{item}}"165 ········name="{{item}}"
147 ········enabled="yes"166 ········enabled="no"
148 ········state="started"167 ········state="stopped"
 168 ······register:·service_result
 169 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
149 ······with_items:170 ······with_items:
150 ········-·ntpd171 ········-·atd
151 ······tags:172 ······tags:
152 ········-·service_ntpd_enabled173 ········-·service_atd_disabled
153 ········-·medium_severity174 ········-·unknown_severity
154 ········-·enable_strategy175 ········-·disable_strategy
Max diff block lines reached; 146690/151852 bytes (96.60%) of diff not shown.
161 KB
./usr/share/scap-security-guide/ansible/ssg-sl6-role-usgcb-rhel6-server.yml
    
Offset 35, 85 lines modifiedOffset 35, 72 lines modified
35 ··········35 ··········
36 ···vars:36 ···vars:
37 ······sshd_idle_timeout_value:·30037 ······sshd_idle_timeout_value:·300
38 ······rsyslog_remote_loghost_address:·None38 ······rsyslog_remote_loghost_address:·None
39 ······sysctl_net_ipv6_conf_default_accept_ra_value:·039 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
40 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·040 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
41 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·041 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
42 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·142 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
43 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·043 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
44 ······sysctl_net_ipv4_conf_default_rp_filter_value:·144 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
45 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·045 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
46 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0 
47 ······sysctl_net_ipv4_tcp_syncookies_value:·146 ······sysctl_net_ipv4_tcp_syncookies_value:·1
48 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·047 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv4_conf_all_log_martians_value:·148 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
50 ······sysctl_net_ipv4_conf_all_rp_filter_value:·149 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
51 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·150 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
 51 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
52 ······var_selinux_policy_name:·targeted52 ······var_selinux_policy_name:·targeted
53 ······var_selinux_state:·enforcing53 ······var_selinux_state:·enforcing
54 ······var_accounts_password_minlen_login_defs:·1254 ······var_accounts_password_minlen_login_defs:·12
55 ······var_accounts_maximum_age_login_defs:·60 
56 ······var_accounts_password_warn_age_login_defs:·1455 ······var_accounts_password_warn_age_login_defs:·14
 56 ······var_accounts_maximum_age_login_defs:·60
57 ······var_account_disable_post_pw_expiration:·3057 ······var_account_disable_post_pw_expiration:·30
58 ······var_password_pam_unix_remember:·2458 ······var_password_pam_unix_remember:·24
59 ······var_accounts_passwords_pam_faillock_deny:·559 ······var_accounts_passwords_pam_faillock_deny:·5
60 ······var_accounts_passwords_pam_faillock_unlock_time:·60480060 ······var_accounts_passwords_pam_faillock_unlock_time:·604800
61 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000061 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
62 ······var_password_pam_retry:·362 ······var_password_pam_retry:·3
63 ······var_accounts_user_umask:·07763 ······var_accounts_user_umask:·077
64 ······var_removable_partition:·/dev/cdrom64 ······var_removable_partition:·/dev/cdrom
65 ······var_removable_partition:·/dev/cdrom65 ······var_removable_partition:·/dev/cdrom
66 ······var_removable_partition:·/dev/cdrom66 ······var_removable_partition:·/dev/cdrom
67 ···tasks:67 ···tasks:
68 ····-·name:·Disable·service·smb68 ····-·name:·Disable·service·vsftpd
69 ······service:69 ······service:
70 ········name="{{item}}"70 ········name="{{item}}"
71 ········enabled="no"71 ········enabled="no"
72 ········state="stopped"72 ········state="stopped"
73 ······register:·service_result73 ······register:·service_result
74 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"74 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
75 ······with_items:75 ······with_items:
76 ········-·smb76 ········-·vsftpd
77 ······tags:77 ······tags:
78 ········-·service_smb_disabled78 ········-·service_vsftpd_disabled
79 ········-·unknown_severity79 ········-·unknown_severity
80 ········-·disable_strategy80 ········-·disable_strategy
81 ········-·low_complexity81 ········-·low_complexity
82 ········-·low_disruption82 ········-·low_disruption
83 ········-·CCE-27143-783 ········-·CCE-26948-0
84 ····84 ········-·NIST-800-53-CM-7
85 ····-·name:·Check·if·/etc/samba/smb.conf·exists 
86 ······stat: 
87 ········path:·/etc/samba/smb.conf 
88 ······register:·st_smb 
89 ······tags: 
90 ········-·require_smb_client_signing 
91 ········-·unknown_severity 
92 ········-·configure_strategy 
93 ········-·low_complexity 
94 ········-·medium_disruption 
95 ········-·CCE-26328-5 
96 ········-·DISA-STIG-RHEL-06-000272 
97 ····85 ····
98 ····-·name:·Require·Client·SMB·Packet·Signing,·if·using·smbclient86 ····-·name:·Ensure·vsftpd·is·removed
99 ······lineinfile:87 ······package:
100 ········dest:·/etc/samba/smb.conf88 ········name="{{item}}"
101 ········line:·client·signing·=·mandatory89 ········state=absent
102 ········state:·present90 ······with_items:
103 ········insertafter:·[global]91 ········-·vsftpd
104 ······when:·st_smb.stat.exists 
105 ······tags:92 ······tags:
106 ········-·require_smb_client_signing93 ········-·package_vsftpd_removed
107 ········-·unknown_severity94 ········-·unknown_severity
108 ········-·configure_strategy95 ········-·disable_strategy
109 ········-·low_complexity96 ········-·low_complexity
110 ········-·medium_disruption97 ········-·low_disruption
111 ········-·CCE-26328-598 ········-·CCE-26687-4
112 ········-·DISA-STIG-RHEL-06-00027299 ········-·NIST-800-53-CM-7
113 ····100 ····
114 ····-·name:·Disable·service·httpd101 ····-·name:·Disable·service·httpd
115 ······service:102 ······service:
116 ········name="{{item}}"103 ········name="{{item}}"
117 ········enabled="no"104 ········enabled="no"
118 ········state="stopped"105 ········state="stopped"
119 ······register:·service_result106 ······register:·service_result
Offset 140, 62 lines modifiedOffset 127, 92 lines modified
140 ········-·unknown_severity127 ········-·unknown_severity
141 ········-·disable_strategy128 ········-·disable_strategy
142 ········-·low_complexity129 ········-·low_complexity
143 ········-·low_disruption130 ········-·low_disruption
144 ········-·CCE-27133-8131 ········-·CCE-27133-8
145 ········-·NIST-800-53-CM-7132 ········-·NIST-800-53-CM-7
146 ····133 ····
147 ····-·name:·Ensure·sendmail·is·removed134 ····-·name:·Disable·service·named
148 ······package:135 ······service:
149 ········name="{{item}}"136 ········name="{{item}}"
150 ········state=absent137 ········enabled="no"
 138 ········state="stopped"
 139 ······register:·service_result
 140 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
151 ······with_items:141 ······with_items:
152 ········-·sendmail142 ········-·named
153 ······tags:143 ······tags:
154 ········-·package_sendmail_removed144 ········-·service_named_disabled
155 ········-·medium_severity145 ········-·unknown_severity
156 ········-·disable_strategy146 ········-·disable_strategy
157 ········-·low_complexity147 ········-·low_complexity
158 ········-·low_disruption148 ········-·low_disruption
159 ········-·CCE-27515-6149 ········-·CCE-26873-0
160 ········-·NIST-800-53-CM-7150 ········-·NIST-800-53-CM-7
161 ········-·DISA-STIG-RHEL-06-000288 
162 ····151 ····
163 ····-·name:·Ensure·dhcp·is·removed152 ····-·name:·Ensure·bind·is·removed
164 ······package:153 ······package:
165 ········name="{{item}}"154 ········name="{{item}}"
166 ········state=absent155 ········state=absent
167 ······with_items:156 ······with_items:
168 ········-·dhcp157 ········-·bind
169 ······tags:158 ······tags:
170 ········-·package_dhcp_removed159 ········-·package_bind_removed
171 ········-·medium_severity160 ········-·unknown_severity
172 ········-·disable_strategy161 ········-·disable_strategy
173 ········-·low_complexity162 ········-·low_complexity
174 ········-·low_disruption163 ········-·low_disruption
175 ········-·CCE-27120-5164 ········-·CCE-27030-6
Max diff block lines reached; 159145/164250 bytes (96.89%) of diff not shown.
100 KB
./usr/share/scap-security-guide/ansible/ssg-sl7-role-C2S.yml
Ordering differences only
    
Offset 46, 26 lines modifiedOffset 46, 26 lines modified
46 ······sshd_idle_timeout_value:·720046 ······sshd_idle_timeout_value:·7200
47 ······rsyslog_remote_loghost_address:·logcollector47 ······rsyslog_remote_loghost_address:·logcollector
48 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·048 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0
49 ······sysctl_net_ipv6_conf_default_accept_ra_value:·049 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
50 ······sysctl_net_ipv6_conf_all_accept_ra_value:·050 ······sysctl_net_ipv6_conf_all_accept_ra_value:·0
51 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·051 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
52 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·052 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
53 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·153 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
54 ······sysctl_net_ipv4_conf_default_log_martians_value:·154 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
55 ······sysctl_net_ipv4_conf_default_rp_filter_value:·155 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
56 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·056 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
57 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·057 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
58 ······sysctl_net_ipv4_tcp_syncookies_value:·158 ······sysctl_net_ipv4_tcp_syncookies_value:·1
59 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·059 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
60 ······sysctl_net_ipv4_conf_all_log_martians_value:·160 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
61 ······sysctl_net_ipv4_conf_all_rp_filter_value:·161 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
62 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·162 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
63 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·063 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
64 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·064 ······sysctl_net_ipv4_conf_default_log_martians_value:·1
65 ······var_selinux_policy_name:·targeted65 ······var_selinux_policy_name:·targeted
66 ······var_selinux_state:·enforcing66 ······var_selinux_state:·enforcing
67 ······var_accounts_password_warn_age_login_defs:·767 ······var_accounts_password_warn_age_login_defs:·7
68 ······var_accounts_minimum_age_login_defs:·768 ······var_accounts_minimum_age_login_defs:·7
69 ······var_accounts_maximum_age_login_defs:·9069 ······var_accounts_maximum_age_login_defs:·90
70 ······var_account_disable_post_pw_expiration:·3070 ······var_account_disable_post_pw_expiration:·30
71 ······var_password_pam_unix_remember:·571 ······var_password_pam_unix_remember:·5
Offset 274, 14 lines modifiedOffset 274, 30 lines modified
274 ········-·disable_strategy274 ········-·disable_strategy
275 ········-·low_complexity275 ········-·low_complexity
276 ········-·low_disruption276 ········-·low_disruption
277 ········-·CCE-80212-4277 ········-·CCE-80212-4
278 ········-·NIST-800-53-AC-17(8)278 ········-·NIST-800-53-AC-17(8)
279 ········-·NIST-800-53-CM-7279 ········-·NIST-800-53-CM-7
280 ····280 ····
 281 ····-·name:·Ensure·tcp_wrappers·is·installed
 282 ······package:
 283 ········name="{{item}}"
 284 ········state=present
 285 ······with_items:
 286 ········-·tcp_wrappers
 287 ······tags:
 288 ········-·package_tcp_wrappers_installed
 289 ········-·medium_severity
 290 ········-·enable_strategy
 291 ········-·low_complexity
 292 ········-·low_disruption
 293 ········-·CCE-27361-5
 294 ········-·NIST-800-53-CM-6(b)
 295 ········-·DISA-STIG-RHEL-07-TBD
 296 ····
281 ····-·name:·Disable·service·xinetd297 ····-·name:·Disable·service·xinetd
282 ······service:298 ······service:
283 ········name="{{item}}"299 ········name="{{item}}"
284 ········enabled="no"300 ········enabled="no"
285 ········state="stopped"301 ········state="stopped"
286 ······register:·service_result302 ······register:·service_result
287 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"303 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 294, 30 lines modifiedOffset 310, 14 lines modified
294 ········-·low_complexity310 ········-·low_complexity
295 ········-·low_disruption311 ········-·low_disruption
296 ········-·CCE-27443-1312 ········-·CCE-27443-1
297 ········-·NIST-800-53-AC-17(8)313 ········-·NIST-800-53-AC-17(8)
298 ········-·NIST-800-53-CM-7314 ········-·NIST-800-53-CM-7
299 ········-·NIST-800-171-3.4.7315 ········-·NIST-800-171-3.4.7
300 ····316 ····
301 ····-·name:·Ensure·tcp_wrappers·is·installed 
302 ······package: 
303 ········name="{{item}}" 
304 ········state=present 
305 ······with_items: 
306 ········-·tcp_wrappers 
307 ······tags: 
308 ········-·package_tcp_wrappers_installed 
309 ········-·medium_severity 
310 ········-·enable_strategy 
311 ········-·low_complexity 
312 ········-·low_disruption 
313 ········-·CCE-27361-5 
314 ········-·NIST-800-53-CM-6(b) 
315 ········-·DISA-STIG-RHEL-07-TBD 
316 ···· 
317 ····-·name:·Ensure·talk·is·removed317 ····-·name:·Ensure·talk·is·removed
318 ······package:318 ······package:
319 ········name="{{item}}"319 ········name="{{item}}"
320 ········state=absent320 ········state=absent
321 ······with_items:321 ······with_items:
322 ········-·talk322 ········-·talk
323 ······tags:323 ······tags:
Offset 338, 14 lines modifiedOffset 338, 31 lines modified
338 ········-·package_talk-server_removed338 ········-·package_talk-server_removed
339 ········-·medium_severity339 ········-·medium_severity
340 ········-·disable_strategy340 ········-·disable_strategy
341 ········-·low_complexity341 ········-·low_complexity
342 ········-·low_disruption342 ········-·low_disruption
343 ········-·CCE-27210-4343 ········-·CCE-27210-4
344 ····344 ····
 345 ····-·name:·Disable·service·dovecot
 346 ······service:
 347 ········name="{{item}}"
 348 ········enabled="no"
 349 ········state="stopped"
 350 ······register:·service_result
 351 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
 352 ······with_items:
 353 ········-·dovecot
 354 ······tags:
 355 ········-·service_dovecot_disabled
 356 ········-·unknown_severity
 357 ········-·disable_strategy
 358 ········-·low_complexity
 359 ········-·low_disruption
 360 ········-·CCE-80294-2
 361 ····
345 ····-·name:·Disable·service·vsftpd362 ····-·name:·Disable·service·vsftpd
346 ······service:363 ······service:
347 ········name="{{item}}"364 ········name="{{item}}"
348 ········enabled="no"365 ········enabled="no"
349 ········state="stopped"366 ········state="stopped"
350 ······register:·service_result367 ······register:·service_result
351 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"368 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 496, 31 lines modifiedOffset 513, 14 lines modified
496 ········-·medium_severity513 ········-·medium_severity
497 ········-·disable_strategy514 ········-·disable_strategy
498 ········-·low_complexity515 ········-·low_complexity
499 ········-·low_disruption516 ········-·low_disruption
500 ········-·CCE-80330-4517 ········-·CCE-80330-4
501 ········-·NIST-800-53-CM-7518 ········-·NIST-800-53-CM-7
Max diff block lines reached; 97763/102303 bytes (95.56%) of diff not shown.
69.1 KB
./usr/share/scap-security-guide/ansible/ssg-sl7-role-cjis.yml
Ordering differences only
    
Offset 37, 28 lines modifiedOffset 37, 28 lines modified
37 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."37 ···········"You·must·update·Ansible·to·at·least·version·2.3·to·use·this·role."
38 ··········38 ··········
39 ···vars:39 ···vars:
40 ······sshd_idle_timeout_value:·180040 ······sshd_idle_timeout_value:·1800
41 ······sshd_listening_port:·2241 ······sshd_listening_port:·22
42 ······inactivity_timeout_value:·180042 ······inactivity_timeout_value:·1800
43 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·043 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
44 ······sysctl_net_ipv4_tcp_syncookies_value:·1 
45 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 
46 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·144 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
47 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·045 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
 46 ······sysctl_net_ipv4_tcp_syncookies_value:·1
 47 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
48 ······var_accounts_minimum_age_login_defs:·148 ······var_accounts_minimum_age_login_defs:·1
49 ······var_account_disable_post_pw_expiration:·049 ······var_account_disable_post_pw_expiration:·0
50 ······var_password_pam_minlen:·1250 ······var_password_pam_minlen:·12
51 ······var_password_pam_difok:·651 ······var_password_pam_difok:·6
52 ······var_accounts_max_concurrent_login_sessions:·352 ······var_accounts_max_concurrent_login_sessions:·3
53 ······var_auditd_max_log_file:·153 ······var_auditd_max_log_file:·1
54 ······var_auditd_action_mail_acct:·admin54 ······var_auditd_action_mail_acct:·admin
55 ······var_auditd_space_left_action:·suspend 
56 ······var_auditd_admin_space_left_action:·suspend55 ······var_auditd_admin_space_left_action:·suspend
57 ······var_auditd_max_log_file_action:·rotate56 ······var_auditd_max_log_file_action:·rotate
 57 ······var_auditd_space_left_action:·suspend
58 ···tasks:58 ···tasks:
59 ····-·name:·Disable·SSH·Access·via·Empty·Passwords59 ····-·name:·Disable·SSH·Access·via·Empty·Passwords
60 ······lineinfile:60 ······lineinfile:
61 ········create:·yes61 ········create:·yes
62 ········dest:·/etc/ssh/sshd_config62 ········dest:·/etc/ssh/sshd_config
63 ········regexp:·^PermitEmptyPasswords63 ········regexp:·^PermitEmptyPasswords
64 ········line:·PermitEmptyPasswords·no64 ········line:·PermitEmptyPasswords·no
Offset 96, 14 lines modifiedOffset 96, 39 lines modified
96 ········-·NIST-800-53-AC-2(5)96 ········-·NIST-800-53-AC-2(5)
97 ········-·NIST-800-53-SA-897 ········-·NIST-800-53-SA-8
98 ········-·NIST-800-53-AC-1298 ········-·NIST-800-53-AC-12
99 ········-·NIST-800-171-3.1.1199 ········-·NIST-800-171-3.1.11
100 ········-·CJIS-5.5.6100 ········-·CJIS-5.5.6
101 ········-·DISA-STIG-RHEL-07-040340101 ········-·DISA-STIG-RHEL-07-040340
102 ····102 ····
 103 ····
 104 ····
 105 ····-·name:·Set·SSH·Idle·Timeout·Interval
 106 ······lineinfile:
 107 ········create:·yes
 108 ········dest:·/etc/ssh/sshd_config
 109 ········regexp:·^ClientAliveInterval
 110 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"
 111 ········validate:·sshd·-t·-f·%s
 112 ······#notify:·restart·sshd
 113 ······tags:
 114 ········-·sshd_set_idle_timeout
 115 ········-·unknown_severity
 116 ········-·restrict_strategy
 117 ········-·low_complexity
 118 ········-·low_disruption
 119 ········-·CCE-27433-2
 120 ········-·NIST-800-53-AC-2(5)
 121 ········-·NIST-800-53-SA-8(i)
 122 ········-·NIST-800-53-AC-12
 123 ········-·NIST-800-171-3.1.11
 124 ········-·PCI-DSS-Req-8.1.8
 125 ········-·CJIS-5.5.6
 126 ········-·DISA-STIG-RHEL-07-040320
 127 ····
103 ····-·name:·Enable·SSH·Warning·Banner128 ····-·name:·Enable·SSH·Warning·Banner
104 ······lineinfile:129 ······lineinfile:
105 ········create:·yes130 ········create:·yes
106 ········dest:·/etc/ssh/sshd_config131 ········dest:·/etc/ssh/sshd_config
107 ········regexp:·^Banner132 ········regexp:·^Banner
108 ········line:·Banner·/etc/issue133 ········line:·Banner·/etc/issue
109 ········validate:·sshd·-t·-f·%s134 ········validate:·sshd·-t·-f·%s
Offset 119, 33 lines modifiedOffset 144, 14 lines modified
119 ········-·NIST-800-53-AC-8(c)(1)144 ········-·NIST-800-53-AC-8(c)(1)
120 ········-·NIST-800-53-AC-8(c)(2)145 ········-·NIST-800-53-AC-8(c)(2)
121 ········-·NIST-800-53-AC-8(c)(3)146 ········-·NIST-800-53-AC-8(c)(3)
122 ········-·NIST-800-171-3.1.9147 ········-·NIST-800-171-3.1.9
123 ········-·CJIS-5.5.6148 ········-·CJIS-5.5.6
124 ········-·DISA-STIG-RHEL-07-040170149 ········-·DISA-STIG-RHEL-07-040170
125 ····150 ····
126 ····-·name:·Do·Not·Allow·SSH·Environment·Options 
127 ······lineinfile: 
128 ········create:·yes 
129 ········dest:·/etc/ssh/sshd_config 
130 ········regexp:·^PermitUserEnvironment 
131 ········line:·PermitUserEnvironment·no 
132 ········validate:·sshd·-t·-f·%s 
133 ······tags: 
134 ········-·sshd_do_not_permit_user_env 
135 ········-·medium_severity 
136 ········-·restrict_strategy 
137 ········-·low_complexity 
138 ········-·low_disruption 
139 ········-·CCE-27363-1 
140 ········-·NIST-800-53-CM-6(b) 
141 ········-·NIST-800-171-3.1.12 
142 ········-·CJIS-5.5.6 
143 ········-·DISA-STIG-RHEL-07-010460 
144 ···· 
145 ····151 ····
146 ····-·name:·"Allow·Only·SSH·Protocol·2"152 ····-·name:·"Allow·Only·SSH·Protocol·2"
147 ······lineinfile:153 ······lineinfile:
148 ········dest:·/etc/ssh/sshd_config154 ········dest:·/etc/ssh/sshd_config
149 ········regexp:·"^Protocol·[0-9]"155 ········regexp:·"^Protocol·[0-9]"
150 ········line:·"Protocol·2"156 ········line:·"Protocol·2"
151 ········validate:·sshd·-t·-f·%s157 ········validate:·sshd·-t·-f·%s
Offset 180, 38 lines modifiedOffset 186, 32 lines modified
180 ········-·CCE-27377-1186 ········-·CCE-27377-1
181 ········-·NIST-800-53-AC-3187 ········-·NIST-800-53-AC-3
182 ········-·NIST-800-53-CM-6(a)188 ········-·NIST-800-53-CM-6(a)
183 ········-·NIST-800-171-3.1.12189 ········-·NIST-800-171-3.1.12
184 ········-·CJIS-5.5.6190 ········-·CJIS-5.5.6
185 ········-·DISA-STIG-RHEL-07-040350191 ········-·DISA-STIG-RHEL-07-040350
186 ····192 ····
187 ····193 ····-·name:·Do·Not·Allow·SSH·Environment·Options
188 ···· 
189 ····-·name:·Set·SSH·Idle·Timeout·Interval 
190 ······lineinfile:194 ······lineinfile:
191 ········create:·yes195 ········create:·yes
192 ········dest:·/etc/ssh/sshd_config196 ········dest:·/etc/ssh/sshd_config
193 ········regexp:·^ClientAliveInterval197 ········regexp:·^PermitUserEnvironment
194 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"198 ········line:·PermitUserEnvironment·no
195 ········validate:·sshd·-t·-f·%s199 ········validate:·sshd·-t·-f·%s
196 ······#notify:·restart·sshd 
197 ······tags:200 ······tags:
198 ········-·sshd_set_idle_timeout201 ········-·sshd_do_not_permit_user_env
199 ········-·unknown_severity202 ········-·medium_severity
200 ········-·restrict_strategy203 ········-·restrict_strategy
Max diff block lines reached; 66416/70623 bytes (94.04%) of diff not shown.
100 KB
./usr/share/scap-security-guide/ansible/ssg-sl7-role-hipaa.yml
Ordering differences only
    
Offset 220, 14 lines modifiedOffset 220, 28 lines modified
220 ········-·low_complexity220 ········-·low_complexity
221 ········-·low_disruption221 ········-·low_disruption
222 ········-·CCE-27165-0222 ········-·CCE-27165-0
223 ········-·NIST-800-53-AC-17(8)223 ········-·NIST-800-53-AC-17(8)
224 ········-·NIST-800-53-CM-7(a)224 ········-·NIST-800-53-CM-7(a)
225 ········-·DISA-STIG-RHEL-07-021710225 ········-·DISA-STIG-RHEL-07-021710
226 ····226 ····
 227 ····-·name:·Ensure·ypbind·is·removed
 228 ······package:
 229 ········name="{{item}}"
 230 ········state=absent
 231 ······with_items:
 232 ········-·ypbind
 233 ······tags:
 234 ········-·package_ypbind_removed
 235 ········-·unknown_severity
 236 ········-·disable_strategy
 237 ········-·low_complexity
 238 ········-·low_disruption
 239 ········-·CCE-27396-1
 240 ····
227 ····-·name:·Disable·service·ypbind241 ····-·name:·Disable·service·ypbind
228 ······service:242 ······service:
229 ········name="{{item}}"243 ········name="{{item}}"
230 ········enabled="no"244 ········enabled="no"
231 ········state="stopped"245 ········state="stopped"
232 ······register:·service_result246 ······register:·service_result
233 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"247 ······failed_when:·"service_result|failed·and·('Could·not·find·the·requested·service'·not·in·service_result.msg)"
Offset 239, 28 lines modifiedOffset 253, 14 lines modified
239 ········-·disable_strategy253 ········-·disable_strategy
240 ········-·low_complexity254 ········-·low_complexity
241 ········-·low_disruption255 ········-·low_disruption
242 ········-·CCE-27385-4256 ········-·CCE-27385-4
243 ········-·NIST-800-53-AC-17(8)257 ········-·NIST-800-53-AC-17(8)
244 ········-·NIST-800-53-CM-7258 ········-·NIST-800-53-CM-7
245 ····259 ····
246 ····-·name:·Ensure·ypbind·is·removed 
247 ······package: 
248 ········name="{{item}}" 
249 ········state=absent 
250 ······with_items: 
251 ········-·ypbind 
252 ······tags: 
253 ········-·package_ypbind_removed 
254 ········-·unknown_severity 
255 ········-·disable_strategy 
256 ········-·low_complexity 
257 ········-·low_disruption 
258 ········-·CCE-27396-1 
259 ···· 
260 ····-·name:·Ensure·ypserv·is·removed260 ····-·name:·Ensure·ypserv·is·removed
261 ······package:261 ······package:
262 ········name="{{item}}"262 ········name="{{item}}"
263 ········state=absent263 ········state=absent
264 ······with_items:264 ······with_items:
265 ········-·ypserv265 ········-·ypserv
266 ······tags:266 ······tags:
Offset 389, 14 lines modifiedOffset 389, 33 lines modified
389 ········-·low_disruption389 ········-·low_disruption
390 ········-·CCE-80258-7390 ········-·CCE-80258-7
391 ········-·NIST-800-53-AC-17(8)391 ········-·NIST-800-53-AC-17(8)
392 ········-·NIST-800-53-CM-7392 ········-·NIST-800-53-CM-7
393 ········-·NIST-800-53-CM-6(b)393 ········-·NIST-800-53-CM-6(b)
394 ········-·DISA-STIG-RHEL-07-021300394 ········-·DISA-STIG-RHEL-07-021300
395 ····395 ····
 396 ····-·name:·"Enable·Use·of·Strict·Mode·Checking"
 397 ······lineinfile:
 398 ········create:·yes
 399 ········dest:·/etc/ssh/sshd_config
 400 ········regexp:·(?i)^#?strictmodes
 401 ········line:·StrictModes·yes
 402 ········validate:·sshd·-t·-f·%s
 403 ······#notify:·restart·sshd
 404 ······tags:
 405 ········-·sshd_enable_strictmodes
 406 ········-·medium_severity
 407 ········-·restrict_strategy
 408 ········-·low_complexity
 409 ········-·low_disruption
 410 ········-·CCE-80222-3
 411 ········-·NIST-800-53-AC-6
 412 ········-·NIST-800-171-3.1.12
 413 ········-·DISA-STIG-RHEL-07-040450
 414 ····
396 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"415 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"
397 ······lineinfile:416 ······lineinfile:
398 ········create:·yes417 ········create:·yes
399 ········dest:·/etc/ssh/sshd_config418 ········dest:·/etc/ssh/sshd_config
400 ········regexp:·^IgnoreUserKnownHosts419 ········regexp:·^IgnoreUserKnownHosts
401 ········line:·IgnoreUserKnownHosts·yes420 ········line:·IgnoreUserKnownHosts·yes
402 ········validate:·sshd·-t·-f·%s421 ········validate:·sshd·-t·-f·%s
Offset 452, 32 lines modifiedOffset 471, 14 lines modified
452 ········-·NIST-800-53-AC-2(5)471 ········-·NIST-800-53-AC-2(5)
453 ········-·NIST-800-53-SA-8472 ········-·NIST-800-53-SA-8
454 ········-·NIST-800-53-AC-12473 ········-·NIST-800-53-AC-12
455 ········-·NIST-800-171-3.1.11474 ········-·NIST-800-171-3.1.11
456 ········-·CJIS-5.5.6475 ········-·CJIS-5.5.6
457 ········-·DISA-STIG-RHEL-07-040340476 ········-·DISA-STIG-RHEL-07-040340
458 ····477 ····
459 ····-·name:·Disable·SSH·Support·for·Rhosts·RSA·Authentication 
460 ······lineinfile: 
461 ········create:·yes 
462 ········dest:·/etc/ssh/sshd_config 
463 ········regexp:·^RhostsRSAAuthentication 
464 ········line:·RhostsRSAAuthentication·no 
465 ········validate:·sshd·-t·-f·%s 
466 ······tags: 
467 ········-·sshd_disable_rhosts_rsa 
468 ········-·medium_severity 
469 ········-·restrict_strategy 
470 ········-·low_complexity 
471 ········-·low_disruption 
472 ········-·CCE-80373-4 
473 ········-·NIST-800-53-CM-6(a) 
474 ········-·NIST-800-171-3.1.12 
475 ········-·DISA-STIG-RHEL-07-040330 
476 ···· 
477 ····-·name:·Enable·SSH·Warning·Banner478 ····-·name:·Enable·SSH·Warning·Banner
478 ······lineinfile:479 ······lineinfile:
479 ········create:·yes480 ········create:·yes
480 ········dest:·/etc/ssh/sshd_config481 ········dest:·/etc/ssh/sshd_config
481 ········regexp:·^Banner482 ········regexp:·^Banner
482 ········line:·Banner·/etc/issue483 ········line:·Banner·/etc/issue
483 ········validate:·sshd·-t·-f·%s484 ········validate:·sshd·-t·-f·%s
Offset 516, 33 lines modifiedOffset 517, 14 lines modified
516 ········-·NIST-800-53-IA-7517 ········-·NIST-800-53-IA-7
517 ········-·NIST-800-53-SC-13518 ········-·NIST-800-53-SC-13
Max diff block lines reached; 98846/102348 bytes (96.58%) of diff not shown.
177 KB
./usr/share/scap-security-guide/ansible/ssg-sl7-role-nist-800-171-cui.yml
Ordering differences only
    
Offset 50, 93 lines modifiedOffset 50, 93 lines modified
50 ··········50 ··········
51 ···vars:51 ···vars:
52 ······sshd_idle_timeout_value:·60052 ······sshd_idle_timeout_value:·600
53 ······sshd_listening_port:·2253 ······sshd_listening_port:·22
54 ······inactivity_timeout_value:·60054 ······inactivity_timeout_value:·600
55 ······rsyslog_remote_loghost_address:·logcollector55 ······rsyslog_remote_loghost_address:·logcollector
56 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·056 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0
57 ······sysctl_net_ipv6_conf_all_forwarding_value:·0 
58 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·057 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0
 58 ······sysctl_net_ipv6_conf_all_forwarding_value:·0
59 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·059 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0
60 ······sysctl_net_ipv6_conf_default_accept_ra_value:·060 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
61 ······sysctl_net_ipv6_conf_all_accept_ra_value:·061 ······sysctl_net_ipv6_conf_all_accept_ra_value:·0
62 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·062 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
63 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·063 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
64 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·164 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
65 ······sysctl_net_ipv4_conf_default_log_martians_value:·165 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
66 ······sysctl_net_ipv4_conf_default_rp_filter_value:·166 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
67 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·067 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
68 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·068 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
69 ······sysctl_net_ipv4_tcp_syncookies_value:·169 ······sysctl_net_ipv4_tcp_syncookies_value:·1
70 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·070 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
71 ······sysctl_net_ipv4_conf_all_log_martians_value:·171 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
72 ······sysctl_net_ipv4_conf_all_rp_filter_value:·172 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
73 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·173 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
74 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·074 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
75 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·075 ······sysctl_net_ipv4_conf_default_log_martians_value:·1
76 ······var_ssh_sysadm_login:·false76 ······var_ssh_sysadm_login:·false
 77 ······var_login_console_enabled:·true
77 ······var_auditadm_exec_content:·true78 ······var_auditadm_exec_content:·true
78 ······var_selinuxuser_execstack:·true79 ······var_selinuxuser_execstack:·true
79 ······var_mount_anyfile:·true80 ······var_mount_anyfile:·true
80 ······var_daemons_use_tcp_wrapper:·false81 ······var_cron_system_cronjob_use_shares:·false
81 ······var_cron_can_relabel:·false82 ······var_cron_can_relabel:·false
 83 ······var_guest_exec_content:·true
 84 ······var_secure_mode:·false
82 ······var_user_exec_content:·true85 ······var_user_exec_content:·true
83 ······var_deny_ptrace:·false86 ······var_deny_ptrace:·false
84 ······var_guest_exec_content:·true 
85 ······var_xserver_object_manager:·false87 ······var_xserver_object_manager:·false
86 ······var_xdm_sysadm_login:·false88 ······var_xdm_sysadm_login:·false
 89 ······var_sysadm_exec_content:·true
87 ······var_selinuxuser_mysql_connect_enabled:·false90 ······var_selinuxuser_mysql_connect_enabled:·false
88 ······var_xguest_mount_media:·true91 ······var_selinuxuser_udp_server:·false
89 ······var_secure_mode:·false 
90 ······var_ssh_keysign:·false92 ······var_ssh_keysign:·false
91 ······var_staff_exec_content:·true93 ······var_staff_exec_content:·true
 94 ······var_gpg_web_anon_write:·false
92 ······var_xserver_execmem:·false95 ······var_xserver_execmem:·false
93 ······var_secure_mode_insmod:·false96 ······var_cron_userdomain_transition:·true
 97 ······var_xguest_mount_media:·true
94 ······var_selinuxuser_rw_noexattrfile:·true98 ······var_selinuxuser_rw_noexattrfile:·true
95 ······var_deny_execmem:·false99 ······var_deny_execmem:·false
96 ······var_ssh_chroot_rw_homedirs:·false100 ······var_ssh_chroot_rw_homedirs:·false
97 ······var_logging_syslogd_can_sendmail:·false 
98 ······var_abrt_anon_write:·false101 ······var_abrt_anon_write:·false
99 ······var_cron_userdomain_transition:·true102 ······var_kerberos_enabled:·true
100 ······var_logging_syslogd_use_tty:·true103 ······var_logging_syslogd_use_tty:·true
101 ······var_login_console_enabled:·true 
102 ······var_abrt_handle_event:·false104 ······var_abrt_handle_event:·false
 105 ······var_mock_enable_homedirs:·false
 106 ······var_secure_mode_insmod:·false
103 ······var_unconfined_login:·true107 ······var_unconfined_login:·true
 108 ······var_logging_syslogd_can_sendmail:·false
104 ······var_selinuxuser_postgresql_connect_enabled:·false109 ······var_selinuxuser_postgresql_connect_enabled:·false
 110 ······var_daemons_use_tcp_wrapper:·false
105 ······var_abrt_upload_watch_anon_write:·true111 ······var_abrt_upload_watch_anon_write:·true
106 ······var_daemons_use_tty:·false112 ······var_daemons_use_tty:·false
107 ······var_selinuxuser_tcp_server:·false113 ······var_selinuxuser_tcp_server:·false
108 ······var_selinuxuser_direct_dri_enabled:·true114 ······var_selinuxuser_direct_dri_enabled:·true
109 ······var_xdm_bind_vnc_tcp_port:·false115 ······var_xdm_bind_vnc_tcp_port:·false
110 ······var_xserver_clients_write_xshm:·false116 ······var_xserver_clients_write_xshm:·false
111 ······var_use_ecryptfs_home_dirs:·false117 ······var_use_ecryptfs_home_dirs:·false
112 ······var_mock_enable_homedirs:·false 
113 ······var_xguest_exec_content:·true118 ······var_xguest_exec_content:·true
 119 ······var_xdm_write_home:·false
 120 ······var_logadm_exec_content:·true
114 ······var_domain_fd_use:·true121 ······var_domain_fd_use:·true
115 ······var_selinuxuser_udp_server:·false 
116 ······var_mmap_low_allowed:·false122 ······var_mmap_low_allowed:·false
117 ······var_selinuxuser_share_music:·false123 ······var_selinuxuser_share_music:·false
118 ······var_selinuxuser_execmod:·true124 ······var_selinuxuser_execmod:·true
119 ······var_cron_system_cronjob_use_shares:·false 
120 ······var_logadm_exec_content:·true 
121 ······var_xguest_connect_network:·true125 ······var_xguest_connect_network:·true
122 ······var_xdm_write_home:·false 
123 ······var_sysadm_exec_content:·true 
124 ······var_xguest_use_bluetooth:·true126 ······var_xguest_use_bluetooth:·true
125 ······var_kerberos_enabled:·true127 ······var_selinuxuser_execheap:·false
126 ······var_secure_mode_policyload:·false 
127 ······var_daemons_dump_core:·false128 ······var_daemons_dump_core:·false
128 ······var_xdm_exec_bootloader:·false129 ······var_xdm_exec_bootloader:·false
129 ······var_gpg_web_anon_write:·false 
130 ······var_fips_mode:·true130 ······var_fips_mode:·true
131 ······var_polyinstantiation_enabled:·false131 ······var_polyinstantiation_enabled:·false
132 ······var_domain_kernel_load_modules:·false132 ······var_domain_kernel_load_modules:·false
133 ······var_selinuxuser_use_ssh_chroot:·false133 ······var_selinuxuser_use_ssh_chroot:·false
134 ······var_selinuxuser_ping:·true134 ······var_selinuxuser_ping:·true
135 ······var_selinuxuser_execheap:·false135 ······var_secure_mode_policyload:·false
136 ······var_secadm_exec_content:·true136 ······var_secadm_exec_content:·true
137 ······var_selinux_policy_name:·targeted137 ······var_selinux_policy_name:·targeted
138 ······var_selinux_state:·enforcing138 ······var_selinux_state:·enforcing
139 ······var_accounts_password_minlen_login_defs:·6139 ······var_accounts_password_minlen_login_defs:·6
140 ······var_accounts_password_warn_age_login_defs:·7140 ······var_accounts_password_warn_age_login_defs:·7
141 ······var_accounts_minimum_age_login_defs:·7141 ······var_accounts_minimum_age_login_defs:·7
142 ······var_accounts_maximum_age_login_defs:·60142 ······var_accounts_maximum_age_login_defs:·60
Offset 156, 22 lines modifiedOffset 156, 22 lines modified
156 ······var_password_pam_difok:·8156 ······var_password_pam_difok:·8
157 ······var_password_pam_ocredit:·-1157 ······var_password_pam_ocredit:·-1
158 ······var_password_pam_lcredit:·-1158 ······var_password_pam_lcredit:·-1
159 ······var_password_pam_ucredit:·-1159 ······var_password_pam_ucredit:·-1
160 ······var_password_pam_retry:·3160 ······var_password_pam_retry:·3
161 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.161 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
162 ······var_accounts_user_umask:·077162 ······var_accounts_user_umask:·077
 163 ······var_accounts_max_concurrent_login_sessions:·10
163 ······var_accounts_fail_delay:·4164 ······var_accounts_fail_delay:·4
164 ······var_accounts_tmout:·600165 ······var_accounts_tmout:·600
165 ······var_accounts_max_concurrent_login_sessions:·10 
166 ······var_auditd_max_log_file:·6166 ······var_auditd_max_log_file:·6
167 ······var_auditd_action_mail_acct:·root167 ······var_auditd_action_mail_acct:·root
168 ······var_auditd_space_left_action:·email 
169 ······var_auditd_admin_space_left_action:·single168 ······var_auditd_admin_space_left_action:·single
170 ······var_auditd_max_log_file_action:·rotate169 ······var_auditd_max_log_file_action:·rotate
 170 ······var_auditd_space_left_action:·email
171 ······var_removable_partition:·/dev/cdrom171 ······var_removable_partition:·/dev/cdrom
172 ······var_removable_partition:·/dev/cdrom172 ······var_removable_partition:·/dev/cdrom
173 ······var_removable_partition:·/dev/cdrom173 ······var_removable_partition:·/dev/cdrom
Max diff block lines reached; 173777/180658 bytes (96.19%) of diff not shown.
177 KB
./usr/share/scap-security-guide/ansible/ssg-sl7-role-ospp.yml
Ordering differences only
    
Offset 61, 93 lines modifiedOffset 61, 93 lines modified
61 ··········61 ··········
62 ···vars:62 ···vars:
63 ······sshd_idle_timeout_value:·60063 ······sshd_idle_timeout_value:·600
64 ······sshd_listening_port:·2264 ······sshd_listening_port:·22
65 ······inactivity_timeout_value:·90065 ······inactivity_timeout_value:·900
66 ······rsyslog_remote_loghost_address:·logcollector66 ······rsyslog_remote_loghost_address:·logcollector
67 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·067 ······sysctl_net_ipv6_conf_default_accept_source_route_value:·0
68 ······sysctl_net_ipv6_conf_all_forwarding_value:·0 
69 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·068 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0
 69 ······sysctl_net_ipv6_conf_all_forwarding_value:·0
70 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·070 ······sysctl_net_ipv6_conf_all_accept_redirects_value:·0
71 ······sysctl_net_ipv6_conf_default_accept_ra_value:·071 ······sysctl_net_ipv6_conf_default_accept_ra_value:·0
72 ······sysctl_net_ipv6_conf_all_accept_ra_value:·072 ······sysctl_net_ipv6_conf_all_accept_ra_value:·0
73 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·073 ······sysctl_net_ipv6_conf_default_accept_redirects_value:·0
74 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·074 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
75 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·175 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
76 ······sysctl_net_ipv4_conf_default_log_martians_value:·176 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
77 ······sysctl_net_ipv4_conf_default_rp_filter_value:·177 ······sysctl_net_ipv4_conf_default_rp_filter_value:·1
78 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·078 ······sysctl_net_ipv4_conf_all_secure_redirects_value:·0
79 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·079 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
80 ······sysctl_net_ipv4_tcp_syncookies_value:·180 ······sysctl_net_ipv4_tcp_syncookies_value:·1
81 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·081 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
82 ······sysctl_net_ipv4_conf_all_log_martians_value:·182 ······sysctl_net_ipv4_conf_all_log_martians_value:·1
83 ······sysctl_net_ipv4_conf_all_rp_filter_value:·183 ······sysctl_net_ipv4_conf_all_rp_filter_value:·1
84 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·184 ······sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:·1
85 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·085 ······sysctl_net_ipv4_conf_default_secure_redirects_value:·0
86 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·086 ······sysctl_net_ipv4_conf_default_log_martians_value:·1
87 ······var_ssh_sysadm_login:·false87 ······var_ssh_sysadm_login:·false
 88 ······var_login_console_enabled:·true
88 ······var_auditadm_exec_content:·true89 ······var_auditadm_exec_content:·true
89 ······var_selinuxuser_execstack:·true90 ······var_selinuxuser_execstack:·true
90 ······var_mount_anyfile:·true91 ······var_mount_anyfile:·true
91 ······var_daemons_use_tcp_wrapper:·false92 ······var_cron_system_cronjob_use_shares:·false
92 ······var_cron_can_relabel:·false93 ······var_cron_can_relabel:·false
 94 ······var_guest_exec_content:·true
 95 ······var_secure_mode:·false
93 ······var_user_exec_content:·true96 ······var_user_exec_content:·true
94 ······var_deny_ptrace:·false97 ······var_deny_ptrace:·false
95 ······var_guest_exec_content:·true 
96 ······var_xserver_object_manager:·false98 ······var_xserver_object_manager:·false
97 ······var_xdm_sysadm_login:·false99 ······var_xdm_sysadm_login:·false
 100 ······var_sysadm_exec_content:·true
98 ······var_selinuxuser_mysql_connect_enabled:·false101 ······var_selinuxuser_mysql_connect_enabled:·false
99 ······var_xguest_mount_media:·true102 ······var_selinuxuser_udp_server:·false
100 ······var_secure_mode:·false 
101 ······var_ssh_keysign:·false103 ······var_ssh_keysign:·false
102 ······var_staff_exec_content:·true104 ······var_staff_exec_content:·true
 105 ······var_gpg_web_anon_write:·false
103 ······var_xserver_execmem:·false106 ······var_xserver_execmem:·false
104 ······var_secure_mode_insmod:·false107 ······var_cron_userdomain_transition:·true
 108 ······var_xguest_mount_media:·true
105 ······var_selinuxuser_rw_noexattrfile:·true109 ······var_selinuxuser_rw_noexattrfile:·true
106 ······var_deny_execmem:·false110 ······var_deny_execmem:·false
107 ······var_ssh_chroot_rw_homedirs:·false111 ······var_ssh_chroot_rw_homedirs:·false
108 ······var_logging_syslogd_can_sendmail:·false 
109 ······var_abrt_anon_write:·false112 ······var_abrt_anon_write:·false
110 ······var_cron_userdomain_transition:·true113 ······var_kerberos_enabled:·true
111 ······var_logging_syslogd_use_tty:·true114 ······var_logging_syslogd_use_tty:·true
112 ······var_login_console_enabled:·true 
113 ······var_abrt_handle_event:·false115 ······var_abrt_handle_event:·false
 116 ······var_mock_enable_homedirs:·false
 117 ······var_secure_mode_insmod:·false
114 ······var_unconfined_login:·true118 ······var_unconfined_login:·true
 119 ······var_logging_syslogd_can_sendmail:·false
115 ······var_selinuxuser_postgresql_connect_enabled:·false120 ······var_selinuxuser_postgresql_connect_enabled:·false
 121 ······var_daemons_use_tcp_wrapper:·false
116 ······var_abrt_upload_watch_anon_write:·true122 ······var_abrt_upload_watch_anon_write:·true
117 ······var_daemons_use_tty:·false123 ······var_daemons_use_tty:·false
118 ······var_selinuxuser_tcp_server:·false124 ······var_selinuxuser_tcp_server:·false
119 ······var_selinuxuser_direct_dri_enabled:·true125 ······var_selinuxuser_direct_dri_enabled:·true
120 ······var_xdm_bind_vnc_tcp_port:·false126 ······var_xdm_bind_vnc_tcp_port:·false
121 ······var_xserver_clients_write_xshm:·false127 ······var_xserver_clients_write_xshm:·false
122 ······var_use_ecryptfs_home_dirs:·false128 ······var_use_ecryptfs_home_dirs:·false
123 ······var_mock_enable_homedirs:·false 
124 ······var_xguest_exec_content:·true129 ······var_xguest_exec_content:·true
 130 ······var_xdm_write_home:·false
 131 ······var_logadm_exec_content:·true
125 ······var_domain_fd_use:·true132 ······var_domain_fd_use:·true
126 ······var_selinuxuser_udp_server:·false 
127 ······var_mmap_low_allowed:·false133 ······var_mmap_low_allowed:·false
128 ······var_selinuxuser_share_music:·false134 ······var_selinuxuser_share_music:·false
129 ······var_selinuxuser_execmod:·true135 ······var_selinuxuser_execmod:·true
130 ······var_cron_system_cronjob_use_shares:·false 
131 ······var_logadm_exec_content:·true 
132 ······var_xguest_connect_network:·true136 ······var_xguest_connect_network:·true
133 ······var_xdm_write_home:·false 
134 ······var_sysadm_exec_content:·true 
135 ······var_xguest_use_bluetooth:·true137 ······var_xguest_use_bluetooth:·true
136 ······var_kerberos_enabled:·true138 ······var_selinuxuser_execheap:·false
137 ······var_secure_mode_policyload:·false 
138 ······var_daemons_dump_core:·false139 ······var_daemons_dump_core:·false
139 ······var_xdm_exec_bootloader:·false140 ······var_xdm_exec_bootloader:·false
140 ······var_gpg_web_anon_write:·false 
141 ······var_fips_mode:·true141 ······var_fips_mode:·true
142 ······var_polyinstantiation_enabled:·false142 ······var_polyinstantiation_enabled:·false
143 ······var_domain_kernel_load_modules:·false143 ······var_domain_kernel_load_modules:·false
144 ······var_selinuxuser_use_ssh_chroot:·false144 ······var_selinuxuser_use_ssh_chroot:·false
145 ······var_selinuxuser_ping:·true145 ······var_selinuxuser_ping:·true
146 ······var_selinuxuser_execheap:·false146 ······var_secure_mode_policyload:·false
147 ······var_secadm_exec_content:·true147 ······var_secadm_exec_content:·true
148 ······var_selinux_policy_name:·targeted148 ······var_selinux_policy_name:·targeted
149 ······var_selinux_state:·enforcing149 ······var_selinux_state:·enforcing
150 ······var_accounts_password_minlen_login_defs:·6150 ······var_accounts_password_minlen_login_defs:·6
151 ······var_accounts_password_warn_age_login_defs:·7151 ······var_accounts_password_warn_age_login_defs:·7
152 ······var_accounts_minimum_age_login_defs:·7152 ······var_accounts_minimum_age_login_defs:·7
153 ······var_accounts_maximum_age_login_defs:·60153 ······var_accounts_maximum_age_login_defs:·60
Offset 167, 22 lines modifiedOffset 167, 22 lines modified
167 ······var_password_pam_difok:·8167 ······var_password_pam_difok:·8
168 ······var_password_pam_ocredit:·-1168 ······var_password_pam_ocredit:·-1
169 ······var_password_pam_lcredit:·-1169 ······var_password_pam_lcredit:·-1
170 ······var_password_pam_ucredit:·-1170 ······var_password_pam_ucredit:·-1
171 ······var_password_pam_retry:·3171 ······var_password_pam_retry:·3
172 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.172 ······login_banner_text:·--[\s\n]+WARNING[\s\n]+--[\s\n]*This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only.[\s\n]+Individuals[\s\n]*using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]*authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]*monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]*system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]*if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]*system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]*enforcement[\s\n]+officials.
173 ······var_accounts_user_umask:·077173 ······var_accounts_user_umask:·077
 174 ······var_accounts_max_concurrent_login_sessions:·10
174 ······var_accounts_fail_delay:·4175 ······var_accounts_fail_delay:·4
175 ······var_accounts_tmout:·600176 ······var_accounts_tmout:·600
176 ······var_accounts_max_concurrent_login_sessions:·10 
177 ······var_auditd_max_log_file:·6177 ······var_auditd_max_log_file:·6
178 ······var_auditd_action_mail_acct:·root178 ······var_auditd_action_mail_acct:·root
179 ······var_auditd_space_left_action:·email 
180 ······var_auditd_admin_space_left_action:·single179 ······var_auditd_admin_space_left_action:·single
181 ······var_auditd_max_log_file_action:·rotate180 ······var_auditd_max_log_file_action:·rotate
 181 ······var_auditd_space_left_action:·email
182 ······var_removable_partition:·/dev/cdrom182 ······var_removable_partition:·/dev/cdrom
183 ······var_removable_partition:·/dev/cdrom183 ······var_removable_partition:·/dev/cdrom
184 ······var_removable_partition:·/dev/cdrom184 ······var_removable_partition:·/dev/cdrom
Max diff block lines reached; 173778/180659 bytes (96.19%) of diff not shown.
60.8 KB
./usr/share/scap-security-guide/ansible/ssg-sl7-role-pci-dss.yml
Ordering differences only
    
Offset 43, 17 lines modifiedOffset 43, 17 lines modified
43 ······var_accounts_passwords_pam_faillock_fail_interval:·10000000043 ······var_accounts_passwords_pam_faillock_fail_interval:·100000000
44 ······var_password_pam_minlen:·744 ······var_password_pam_minlen:·7
45 ······var_password_pam_dcredit:·-145 ······var_password_pam_dcredit:·-1
46 ······var_password_pam_lcredit:·-146 ······var_password_pam_lcredit:·-1
47 ······var_password_pam_ucredit:·-147 ······var_password_pam_ucredit:·-1
48 ······var_auditd_max_log_file:·148 ······var_auditd_max_log_file:·1
49 ······var_auditd_action_mail_acct:·admin49 ······var_auditd_action_mail_acct:·admin
50 ······var_auditd_space_left_action:·suspend 
51 ······var_auditd_admin_space_left_action:·suspend50 ······var_auditd_admin_space_left_action:·suspend
52 ······var_auditd_max_log_file_action:·rotate51 ······var_auditd_max_log_file_action:·rotate
 52 ······var_auditd_space_left_action:·suspend
53 ···tasks:53 ···tasks:
54 ····54 ····
55 ····55 ····
56 ····-·name:·Set·SSH·Idle·Timeout·Interval56 ····-·name:·Set·SSH·Idle·Timeout·Interval
57 ······lineinfile:57 ······lineinfile:
58 ········create:·yes58 ········create:·yes
59 ········dest:·/etc/ssh/sshd_config59 ········dest:·/etc/ssh/sshd_config
Offset 596, 91 lines modifiedOffset 596, 91 lines modified
596 ········-·CCE-80111-8596 ········-·CCE-80111-8
597 ········-·NIST-800-53-AC-11(a)597 ········-·NIST-800-53-AC-11(a)
598 ········-·NIST-800-171-3.1.10598 ········-·NIST-800-171-3.1.10
599 ········-·PCI-DSS-Req-8.1.8599 ········-·PCI-DSS-Req-8.1.8
600 ········-·CJIS-5.5.5600 ········-·CJIS-5.5.5
601 ········-·DISA-STIG-RHEL-07-010100601 ········-·DISA-STIG-RHEL-07-010100
602 ····602 ····
603 ····603 ····-·name:·"Implement·Blank·Screensaver"
604 ···· 
605 ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout" 
606 ······ini_file:604 ······ini_file:
607 ········dest:·"/etc/dconf/db/local.d/00-security-settings"605 ········dest:·"/etc/dconf/db/local.d/00-security-settings"
608 ········section:·"org/gnome/desktop/screensaver"606 ········section:·"org/gnome/desktop/screensaver"
609 ········option:·idle-delay607 ········option:·picture-uri
610 ········value:·"{{·inactivity_timeout_value·}}"608 ········value:·string·''
611 ········create:·yes609 ········create:·yes
612 ······tags:610 ······tags:
613 ········-·dconf_gnome_screensaver_idle_delay611 ········-·dconf_gnome_screensaver_mode_blank
614 ········-·medium_severity612 ········-·unknown_severity
615 ········-·unknown_strategy613 ········-·unknown_strategy
616 ········-·low_complexity614 ········-·low_complexity
617 ········-·medium_disruption615 ········-·medium_disruption
618 ········-·CCE-80110-0616 ········-·CCE-80113-4
619 ········-·NIST-800-53-AC-11(a)617 ········-·NIST-800-53-AC-11(b)
620 ········-·NIST-800-171-3.1.10618 ········-·NIST-800-171-3.1.10
621 ········-·PCI-DSS-Req-8.1.8619 ········-·PCI-DSS-Req-8.1.8
622 ········-·CJIS-5.5.5620 ········-·CJIS-5.5.5
623 ········-·DISA-STIG-RHEL-07-010070 
624 ····621 ····
625 ····-·name:·"Prevent·user·modification·of·GNOME·idle-delay"622 ····-·name:·"Prevent·user·modification·of·GNOME·picture-uri"
626 ······lineinfile:623 ······lineinfile:
627 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock624 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock
628 ········regexp:·'^/org/gnome/desktop/screensaver/idle-delay'625 ········regexp:·'^/org/gnome/desktop/screensaver/picture-uri'
629 ········line:·'/org/gnome/desktop/screensaver/idle-delay'626 ········line:·'/org/gnome/desktop/screensaver/picture-uri'
630 ········create:·yes627 ········create:·yes
631 ······tags:628 ······tags:
632 ········-·dconf_gnome_screensaver_idle_delay629 ········-·dconf_gnome_screensaver_mode_blank
633 ········-·medium_severity630 ········-·unknown_severity
634 ········-·unknown_strategy631 ········-·unknown_strategy
635 ········-·low_complexity632 ········-·low_complexity
636 ········-·medium_disruption633 ········-·medium_disruption
637 ········-·CCE-80110-0634 ········-·CCE-80113-4
638 ········-·NIST-800-53-AC-11(a)635 ········-·NIST-800-53-AC-11(b)
639 ········-·NIST-800-171-3.1.10636 ········-·NIST-800-171-3.1.10
640 ········-·PCI-DSS-Req-8.1.8637 ········-·PCI-DSS-Req-8.1.8
641 ········-·CJIS-5.5.5638 ········-·CJIS-5.5.5
642 ········-·DISA-STIG-RHEL-07-010070 
643 ····639 ····
644 ····-·name:·"Implement·Blank·Screensaver"640 ····
 641 ····
 642 ····-·name:·"Set·GNOME3·Screensaver·Inactivity·Timeout"
645 ······ini_file:643 ······ini_file:
646 ········dest:·"/etc/dconf/db/local.d/00-security-settings"644 ········dest:·"/etc/dconf/db/local.d/00-security-settings"
647 ········section:·"org/gnome/desktop/screensaver"645 ········section:·"org/gnome/desktop/screensaver"
648 ········option:·picture-uri646 ········option:·idle-delay
649 ········value:·string·''647 ········value:·"{{·inactivity_timeout_value·}}"
650 ········create:·yes648 ········create:·yes
651 ······tags:649 ······tags:
652 ········-·dconf_gnome_screensaver_mode_blank650 ········-·dconf_gnome_screensaver_idle_delay
653 ········-·unknown_severity651 ········-·medium_severity
654 ········-·unknown_strategy652 ········-·unknown_strategy
655 ········-·low_complexity653 ········-·low_complexity
656 ········-·medium_disruption654 ········-·medium_disruption
657 ········-·CCE-80113-4655 ········-·CCE-80110-0
658 ········-·NIST-800-53-AC-11(b)656 ········-·NIST-800-53-AC-11(a)
659 ········-·NIST-800-171-3.1.10657 ········-·NIST-800-171-3.1.10
660 ········-·PCI-DSS-Req-8.1.8658 ········-·PCI-DSS-Req-8.1.8
661 ········-·CJIS-5.5.5659 ········-·CJIS-5.5.5
 660 ········-·DISA-STIG-RHEL-07-010070
662 ····661 ····
663 ····-·name:·"Prevent·user·modification·of·GNOME·picture-uri"662 ····-·name:·"Prevent·user·modification·of·GNOME·idle-delay"
664 ······lineinfile:663 ······lineinfile:
665 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock664 ········path:·/etc/dconf/db/local.d/locks/00-security-settings-lock
666 ········regexp:·'^/org/gnome/desktop/screensaver/picture-uri'665 ········regexp:·'^/org/gnome/desktop/screensaver/idle-delay'
667 ········line:·'/org/gnome/desktop/screensaver/picture-uri'666 ········line:·'/org/gnome/desktop/screensaver/idle-delay'
668 ········create:·yes667 ········create:·yes
669 ······tags:668 ······tags:
670 ········-·dconf_gnome_screensaver_mode_blank669 ········-·dconf_gnome_screensaver_idle_delay
671 ········-·unknown_severity670 ········-·medium_severity
672 ········-·unknown_strategy671 ········-·unknown_strategy
673 ········-·low_complexity672 ········-·low_complexity
674 ········-·medium_disruption673 ········-·medium_disruption
675 ········-·CCE-80113-4674 ········-·CCE-80110-0
676 ········-·NIST-800-53-AC-11(b)675 ········-·NIST-800-53-AC-11(a)
677 ········-·NIST-800-171-3.1.10676 ········-·NIST-800-171-3.1.10
678 ········-·PCI-DSS-Req-8.1.8677 ········-·PCI-DSS-Req-8.1.8
679 ········-·CJIS-5.5.5678 ········-·CJIS-5.5.5
 679 ········-·DISA-STIG-RHEL-07-010070
680 ····680 ····
681 ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period"681 ····-·name:·"Enable·GNOME3·Screensaver·Lock·After·Idle·Period"
682 ······ini_file:682 ······ini_file:
683 ········dest:·"/etc/dconf/db/local.d/00-security-settings"683 ········dest:·"/etc/dconf/db/local.d/00-security-settings"
684 ········section:·"org/gnome/desktop/screensaver"684 ········section:·"org/gnome/desktop/screensaver"
685 ········option:·lock-enabled685 ········option:·lock-enabled
686 ········value:·"true"686 ········value:·"true"
Offset 1129, 79 lines modifiedOffset 1129, 79 lines modified
1129 ········-·NIST-800-171-3.3.11129 ········-·NIST-800-171-3.3.1
1130 ········-·PCI-DSS-Req-10.7.a1130 ········-·PCI-DSS-Req-10.7.a
1131 ········-·CJIS-5.4.1.11131 ········-·CJIS-5.4.1.1
1132 ········-·DISA-STIG-RHEL-07-0303501132 ········-·DISA-STIG-RHEL-07-030350
1133 ····1133 ····
1134 ····1134 ····
1135 ····1135 ····
1136 ····-·name:·Configure·auditd·space_left·Action·on·Low·Disk·Space1136 ····-·name:·Configure·auditd·admin_space_left·Action·on·Low·Disk·Space
1137 ······lineinfile:1137 ······lineinfile:
1138 ········dest:·/etc/audit/auditd.conf1138 ········dest:·/etc/audit/auditd.conf
1139 ········line:·"space_left_action·=·{{·var_auditd_space_left_action·}}"1139 ········line:·"admin_space_left_action·=·{{·var_auditd_admin_space_left_action·}}"
1140 ········regexp:·^space_left_action*1140 ········regexp:·"^admin_space_left_action*"
Max diff block lines reached; 56742/62091 bytes (91.39%) of diff not shown.
7.01 KB
./usr/share/scap-security-guide/ansible/ssg-sl7-role-rht-ccp.yml
Ordering differences only
    
Offset 164, 14 lines modifiedOffset 164, 39 lines modified
164 ········-·NIST-800-53-AC-2(5)164 ········-·NIST-800-53-AC-2(5)
165 ········-·NIST-800-53-SA-8165 ········-·NIST-800-53-SA-8
166 ········-·NIST-800-53-AC-12166 ········-·NIST-800-53-AC-12
167 ········-·NIST-800-171-3.1.11167 ········-·NIST-800-171-3.1.11
168 ········-·CJIS-5.5.6168 ········-·CJIS-5.5.6
169 ········-·DISA-STIG-RHEL-07-040340169 ········-·DISA-STIG-RHEL-07-040340
170 ····170 ····
 171 ····
 172 ····
 173 ····-·name:·Set·SSH·Idle·Timeout·Interval
 174 ······lineinfile:
 175 ········create:·yes
 176 ········dest:·/etc/ssh/sshd_config
 177 ········regexp:·^ClientAliveInterval
 178 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"
 179 ········validate:·sshd·-t·-f·%s
 180 ······#notify:·restart·sshd
 181 ······tags:
 182 ········-·sshd_set_idle_timeout
 183 ········-·unknown_severity
 184 ········-·restrict_strategy
 185 ········-·low_complexity
 186 ········-·low_disruption
 187 ········-·CCE-27433-2
 188 ········-·NIST-800-53-AC-2(5)
 189 ········-·NIST-800-53-SA-8(i)
 190 ········-·NIST-800-53-AC-12
 191 ········-·NIST-800-171-3.1.11
 192 ········-·PCI-DSS-Req-8.1.8
 193 ········-·CJIS-5.5.6
 194 ········-·DISA-STIG-RHEL-07-040320
 195 ····
171 ····-·name:·Enable·SSH·Warning·Banner196 ····-·name:·Enable·SSH·Warning·Banner
172 ······lineinfile:197 ······lineinfile:
173 ········create:·yes198 ········create:·yes
174 ········dest:·/etc/ssh/sshd_config199 ········dest:·/etc/ssh/sshd_config
175 ········regexp:·^Banner200 ········regexp:·^Banner
176 ········line:·Banner·/etc/issue201 ········line:·Banner·/etc/issue
177 ········validate:·sshd·-t·-f·%s202 ········validate:·sshd·-t·-f·%s
Offset 187, 33 lines modifiedOffset 212, 14 lines modified
187 ········-·NIST-800-53-AC-8(c)(1)212 ········-·NIST-800-53-AC-8(c)(1)
188 ········-·NIST-800-53-AC-8(c)(2)213 ········-·NIST-800-53-AC-8(c)(2)
189 ········-·NIST-800-53-AC-8(c)(3)214 ········-·NIST-800-53-AC-8(c)(3)
190 ········-·NIST-800-171-3.1.9215 ········-·NIST-800-171-3.1.9
191 ········-·CJIS-5.5.6216 ········-·CJIS-5.5.6
192 ········-·DISA-STIG-RHEL-07-040170217 ········-·DISA-STIG-RHEL-07-040170
193 ····218 ····
194 ····-·name:·Do·Not·Allow·SSH·Environment·Options 
195 ······lineinfile: 
196 ········create:·yes 
197 ········dest:·/etc/ssh/sshd_config 
198 ········regexp:·^PermitUserEnvironment 
199 ········line:·PermitUserEnvironment·no 
200 ········validate:·sshd·-t·-f·%s 
201 ······tags: 
202 ········-·sshd_do_not_permit_user_env 
203 ········-·medium_severity 
204 ········-·restrict_strategy 
205 ········-·low_complexity 
206 ········-·low_disruption 
207 ········-·CCE-27363-1 
208 ········-·NIST-800-53-CM-6(b) 
209 ········-·NIST-800-171-3.1.12 
210 ········-·CJIS-5.5.6 
211 ········-·DISA-STIG-RHEL-07-010460 
212 ···· 
213 ····219 ····
214 ····-·name:·"Allow·Only·SSH·Protocol·2"220 ····-·name:·"Allow·Only·SSH·Protocol·2"
215 ······lineinfile:221 ······lineinfile:
216 ········dest:·/etc/ssh/sshd_config222 ········dest:·/etc/ssh/sshd_config
217 ········regexp:·"^Protocol·[0-9]"223 ········regexp:·"^Protocol·[0-9]"
218 ········line:·"Protocol·2"224 ········line:·"Protocol·2"
219 ········validate:·sshd·-t·-f·%s225 ········validate:·sshd·-t·-f·%s
Offset 248, 38 lines modifiedOffset 254, 32 lines modified
248 ········-·CCE-27377-1254 ········-·CCE-27377-1
249 ········-·NIST-800-53-AC-3255 ········-·NIST-800-53-AC-3
250 ········-·NIST-800-53-CM-6(a)256 ········-·NIST-800-53-CM-6(a)
251 ········-·NIST-800-171-3.1.12257 ········-·NIST-800-171-3.1.12
252 ········-·CJIS-5.5.6258 ········-·CJIS-5.5.6
253 ········-·DISA-STIG-RHEL-07-040350259 ········-·DISA-STIG-RHEL-07-040350
254 ····260 ····
255 ····261 ····-·name:·Do·Not·Allow·SSH·Environment·Options
256 ···· 
257 ····-·name:·Set·SSH·Idle·Timeout·Interval 
258 ······lineinfile:262 ······lineinfile:
259 ········create:·yes263 ········create:·yes
260 ········dest:·/etc/ssh/sshd_config264 ········dest:·/etc/ssh/sshd_config
261 ········regexp:·^ClientAliveInterval265 ········regexp:·^PermitUserEnvironment
262 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"266 ········line:·PermitUserEnvironment·no
263 ········validate:·sshd·-t·-f·%s267 ········validate:·sshd·-t·-f·%s
264 ······#notify:·restart·sshd 
265 ······tags:268 ······tags:
266 ········-·sshd_set_idle_timeout269 ········-·sshd_do_not_permit_user_env
267 ········-·unknown_severity270 ········-·medium_severity
268 ········-·restrict_strategy271 ········-·restrict_strategy
269 ········-·low_complexity272 ········-·low_complexity
270 ········-·low_disruption273 ········-·low_disruption
271 ········-·CCE-27433-2274 ········-·CCE-27363-1
272 ········-·NIST-800-53-AC-2(5)275 ········-·NIST-800-53-CM-6(b)
273 ········-·NIST-800-53-SA-8(i)276 ········-·NIST-800-171-3.1.12
274 ········-·NIST-800-53-AC-12 
275 ········-·NIST-800-171-3.1.11 
276 ········-·PCI-DSS-Req-8.1.8 
277 ········-·CJIS-5.5.6277 ········-·CJIS-5.5.6
278 ········-·DISA-STIG-RHEL-07-040320278 ········-·DISA-STIG-RHEL-07-010460
279 ····279 ····
280 ····-·name:·Use·Only·Approved·Ciphers280 ····-·name:·Use·Only·Approved·Ciphers
281 ······lineinfile:281 ······lineinfile:
282 ········create:·yes282 ········create:·yes
283 ········dest:·/etc/ssh/sshd_config283 ········dest:·/etc/ssh/sshd_config
284 ········regexp:·^Ciphers284 ········regexp:·^Ciphers
285 ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc285 ········line:·Ciphers·aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc
Offset 1435, 72 lines modifiedOffset 1435, 72 lines modified
1435 ········-·low_complexity1435 ········-·low_complexity
1436 ········-·low_disruption1436 ········-·low_disruption
1437 ········-·CCE-26887-01437 ········-·CCE-26887-0
1438 ········-·NIST-800-53-AC-61438 ········-·NIST-800-53-AC-6
1439 ········-·PCI-DSS-Req-8.7.c1439 ········-·PCI-DSS-Req-8.7.c
1440 ········-·CJIS-5.5.2.21440 ········-·CJIS-5.5.2.2
1441 ····1441 ····
1442 ····-·name:·"Read·list·libraries·without·root·ownership"1442 ····-·name:·"Read·list·of·world·and·group·writable·system·executables"
1443 ······shell:·"find·-L·/usr/lib·/usr/lib64·/lib·/lib64·\\!·-user·root"1443 ······shell:·"find·/bin·/usr/bin·/usr/local/bin·/sbin·/usr/sbin·/usr/local/sbin·/usr/libexec·-perm·/022·-type·f"
1444 ······register:·libraries_not_owned_by_root1444 ······register:·world_writable_library_files
1445 ······changed_when:·False1445 ······changed_when:·False
1446 ······failed_when:·False1446 ······failed_when:·False
1447 ······check_mode:·no1447 ······check_mode:·no
1448 ······tags:1448 ······tags:
Max diff block lines reached; 2725/7023 bytes (38.80%) of diff not shown.
53.0 KB
./usr/share/scap-security-guide/ansible/ssg-sl7-role-standard.yml
Ordering differences only
    
Offset 832, 1269 lines modifiedOffset 832, 1269 lines modified
832 ········-·CJIS-5.4.1.1832 ········-·CJIS-5.4.1.1
833 ········-·DISA-STIG-RHEL-07-030440833 ········-·DISA-STIG-RHEL-07-030440
834 ····834 ····
835 ····835 ····
836 ····#836 ····#
837 ····#·What·architecture·are·we·on?837 ····#·What·architecture·are·we·on?
838 ····#838 ····#
839 ····-·name:·Set·architecture·for·audit·fsetxattr·tasks839 ····-·name:·Set·architecture·for·audit·chown·tasks
840 ······set_fact:840 ······set_fact:
841 ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}"841 ········audit_arch:·"b{{·ansible_architecture·|·regex_replace('.*(\\d\\d$)','\\1')·}}"
842 ····842 ····
843 ····#843 ····#
844 ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d844 ····#·Inserts/replaces·the·rule·in·/etc/audit/rules.d
845 ····#845 ····#
846 ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules846 ····-·name:·Search·/etc/audit/rules.d·for·other·DAC·audit·rules
847 ······find:847 ······find:
848 ········paths:·"/etc/audit/rules.d"848 ········paths:·"/etc/audit/rules.d"
849 ········recurse:·no849 ········recurse:·no
850 ········contains:·"-F·key=perm_mod$"850 ········contains:·"-F·key=perm_mod$"
851 ········patterns:·"*.rules"851 ········patterns:·"*.rules"
852 ······register:·find_fsetxattr852 ······register:·find_chown
853 ····853 ····
854 ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule854 ····-·name:·If·existing·DAC·ruleset·not·found,·use·/etc/audit/rules.d/privileged.rules·as·the·recipient·for·the·rule
855 ······set_fact:855 ······set_fact:
856 ········all_files:·856 ········all_files:·
857 ··········-·/etc/audit/rules.d/privileged.rules857 ··········-·/etc/audit/rules.d/privileged.rules
858 ······when:·find_fsetxattr.matched·==·0858 ······when:·find_chown.matched·==·0
859 ····859 ····
860 ····-·name:·Use·matched·file·as·the·recipient·for·the·rule860 ····-·name:·Use·matched·file·as·the·recipient·for·the·rule
861 ······set_fact:861 ······set_fact:
862 ········all_files:862 ········all_files:
863 ··········-·"{{·find_fsetxattr.files·|·map(attribute='path')·|·list·|·first·}}"863 ··········-·"{{·find_chown.files·|·map(attribute='path')·|·list·|·first·}}"
864 ······when:·find_fsetxattr.matched·>·0864 ······when:·find_chown.matched·>·0
865 ····865 ····
866 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·rules.d·when·on·x86866 ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86
867 ······lineinfile:867 ······lineinfile:
868 ········path:·"{{·all_files[0]·}}"868 ········path:·"{{·all_files[0]·}}"
869 ········line:·"-a·always,exit·-F·arch=b32·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"869 ········line:·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
870 ········create:·yes870 ········create:·yes
871 ······tags:871 ······tags:
872 ········-·audit_rules_dac_modification_fsetxattr872 ········-·audit_rules_dac_modification_chown
873 ········-·unknown_severity873 ········-·unknown_severity
874 ········-·restrict_strategy874 ········-·restrict_strategy
875 ········-·low_complexity875 ········-·low_complexity
876 ········-·low_disruption876 ········-·low_disruption
877 ········-·CCE-27389-6877 ········-·CCE-27364-9
878 ········-·NIST-800-53-AC-17(7)878 ········-·NIST-800-53-AC-17(7)
879 ········-·NIST-800-53-AU-1(b)879 ········-·NIST-800-53-AU-1(b)
880 ········-·NIST-800-53-AU-2(a)880 ········-·NIST-800-53-AU-2(a)
881 ········-·NIST-800-53-AU-2(c)881 ········-·NIST-800-53-AU-2(c)
882 ········-·NIST-800-53-AU-2(d)882 ········-·NIST-800-53-AU-2(d)
883 ········-·NIST-800-53-AU-12(a)883 ········-·NIST-800-53-AU-12(a)
884 ········-·NIST-800-53-AU-12(c)884 ········-·NIST-800-53-AU-12(c)
885 ········-·NIST-800-53-IR-5885 ········-·NIST-800-53-IR-5
886 ········-·NIST-800-171-3.1.7886 ········-·NIST-800-171-3.1.7
887 ········-·PCI-DSS-Req-10.5.5887 ········-·PCI-DSS-Req-10.5.5
888 ········-·CJIS-5.4.1.1888 ········-·CJIS-5.4.1.1
889 ········-·DISA-STIG-RHEL-07-030450889 ········-·DISA-STIG-RHEL-07-030370
890 ····890 ····
891 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·rules.d·when·on·x86_64891 ····-·name:·Inserts/replaces·the·chown·rule·in·rules.d·when·on·x86_64
892 ······lineinfile:892 ······lineinfile:
893 ········path:·"{{·all_files[0]·}}"893 ········path:·"{{·all_files[0]·}}"
894 ········line:·"-a·always,exit·-F·arch=b64·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"894 ········line:·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
895 ········create:·yes895 ········create:·yes
896 ······when:·audit_arch·==·'b64'896 ······when:·audit_arch·==·'b64'
897 ······tags:897 ······tags:
898 ········-·audit_rules_dac_modification_fsetxattr898 ········-·audit_rules_dac_modification_chown
899 ········-·unknown_severity899 ········-·unknown_severity
900 ········-·restrict_strategy900 ········-·restrict_strategy
901 ········-·low_complexity901 ········-·low_complexity
902 ········-·low_disruption902 ········-·low_disruption
903 ········-·CCE-27389-6903 ········-·CCE-27364-9
904 ········-·NIST-800-53-AC-17(7)904 ········-·NIST-800-53-AC-17(7)
905 ········-·NIST-800-53-AU-1(b)905 ········-·NIST-800-53-AU-1(b)
906 ········-·NIST-800-53-AU-2(a)906 ········-·NIST-800-53-AU-2(a)
907 ········-·NIST-800-53-AU-2(c)907 ········-·NIST-800-53-AU-2(c)
908 ········-·NIST-800-53-AU-2(d)908 ········-·NIST-800-53-AU-2(d)
909 ········-·NIST-800-53-AU-12(a)909 ········-·NIST-800-53-AU-12(a)
910 ········-·NIST-800-53-AU-12(c)910 ········-·NIST-800-53-AU-12(c)
911 ········-·NIST-800-53-IR-5911 ········-·NIST-800-53-IR-5
912 ········-·NIST-800-171-3.1.7912 ········-·NIST-800-171-3.1.7
913 ········-·PCI-DSS-Req-10.5.5913 ········-·PCI-DSS-Req-10.5.5
914 ········-·CJIS-5.4.1.1914 ········-·CJIS-5.4.1.1
915 ········-·DISA-STIG-RHEL-07-030450915 ········-·DISA-STIG-RHEL-07-030370
916 ····#····916 ····#····
917 ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules917 ····#·Inserts/replaces·the·rule·in·/etc/audit/audit.rules
918 ····#918 ····#
919 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·/etc/audit/audit.rules·when·on·x86919 ····-·name:·Inserts/replaces·the·chown·rule·in·/etc/audit/audit.rules·when·on·x86
920 ······lineinfile:920 ······lineinfile:
921 ········line:·"{{·item·}}"921 ········line:·"{{·item·}}"
922 ········state:·present922 ········state:·present
923 ········dest:·/etc/audit/audit.rules923 ········dest:·/etc/audit/audit.rules
924 ······with_items:924 ······with_items:
925 ········-·"-a·always,exit·-F·arch=b32·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"925 ········-·"-a·always,exit·-F·arch=b32·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
926 ······tags:926 ······tags:
927 ········-·audit_rules_dac_modification_fsetxattr927 ········-·audit_rules_dac_modification_chown
928 ········-·unknown_severity928 ········-·unknown_severity
929 ········-·restrict_strategy929 ········-·restrict_strategy
930 ········-·low_complexity930 ········-·low_complexity
931 ········-·low_disruption931 ········-·low_disruption
932 ········-·CCE-27389-6932 ········-·CCE-27364-9
933 ········-·NIST-800-53-AC-17(7)933 ········-·NIST-800-53-AC-17(7)
934 ········-·NIST-800-53-AU-1(b)934 ········-·NIST-800-53-AU-1(b)
935 ········-·NIST-800-53-AU-2(a)935 ········-·NIST-800-53-AU-2(a)
936 ········-·NIST-800-53-AU-2(c)936 ········-·NIST-800-53-AU-2(c)
937 ········-·NIST-800-53-AU-2(d)937 ········-·NIST-800-53-AU-2(d)
938 ········-·NIST-800-53-AU-12(a)938 ········-·NIST-800-53-AU-12(a)
939 ········-·NIST-800-53-AU-12(c)939 ········-·NIST-800-53-AU-12(c)
940 ········-·NIST-800-53-IR-5940 ········-·NIST-800-53-IR-5
941 ········-·NIST-800-171-3.1.7941 ········-·NIST-800-171-3.1.7
942 ········-·PCI-DSS-Req-10.5.5942 ········-·PCI-DSS-Req-10.5.5
943 ········-·CJIS-5.4.1.1943 ········-·CJIS-5.4.1.1
944 ········-·DISA-STIG-RHEL-07-030450944 ········-·DISA-STIG-RHEL-07-030370
945 ····945 ····
946 ····-·name:·Inserts/replaces·the·fsetxattr·rule·in·audit.rules·when·on·x86_64946 ····-·name:·Inserts/replaces·the·chown·rule·in·audit.rules·when·on·x86_64
947 ······lineinfile:947 ······lineinfile:
948 ········line:·"{{·item·}}"948 ········line:·"{{·item·}}"
949 ········state:·present949 ········state:·present
950 ········dest:·/etc/audit/audit.rules950 ········dest:·/etc/audit/audit.rules
951 ········create:·yes951 ········create:·yes
952 ······with_items:952 ······with_items:
953 ········-·"-a·always,exit·-F·arch=b64·-S·fsetxattr·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"953 ········-·"-a·always,exit·-F·arch=b64·-S·chown·-F·auid>=1000·-F·auid!=4294967295·-F·key=perm_mod"
954 ······when:·audit_arch·==·'b64'954 ······when:·audit_arch·==·'b64'
955 ······tags:955 ······tags:
956 ········-·audit_rules_dac_modification_fsetxattr956 ········-·audit_rules_dac_modification_chown
957 ········-·unknown_severity957 ········-·unknown_severity
958 ········-·restrict_strategy958 ········-·restrict_strategy
Max diff block lines reached; 48574/54119 bytes (89.75%) of diff not shown.
111 KB
./usr/share/scap-security-guide/ansible/ssg-sl7-role-stig-rhel7-disa.yml
Ordering differences only
    
Offset 44, 18 lines modifiedOffset 44, 18 lines modified
44 ··········44 ··········
45 ···vars:45 ···vars:
46 ······sshd_idle_timeout_value:·60046 ······sshd_idle_timeout_value:·600
47 ······inactivity_timeout_value:·90047 ······inactivity_timeout_value:·900
48 ······rsyslog_remote_loghost_address:·logcollector48 ······rsyslog_remote_loghost_address:·logcollector
49 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·049 ······sysctl_net_ipv6_conf_all_accept_source_route_value:·0
50 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·050 ······sysctl_net_ipv4_conf_default_accept_source_route_value:·0
51 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0 
52 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·151 ······sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:·1
53 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0 
54 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·052 ······sysctl_net_ipv4_conf_default_accept_redirects_value:·0
 53 ······sysctl_net_ipv4_conf_all_accept_source_route_value:·0
 54 ······sysctl_net_ipv4_conf_all_accept_redirects_value:·0
55 ······var_selinux_policy_name:·targeted55 ······var_selinux_policy_name:·targeted
56 ······var_selinux_state:·enforcing56 ······var_selinux_state:·enforcing
57 ······var_accounts_minimum_age_login_defs:·157 ······var_accounts_minimum_age_login_defs:·1
58 ······var_accounts_maximum_age_login_defs:·6058 ······var_accounts_maximum_age_login_defs:·60
59 ······var_account_disable_post_pw_expiration:·059 ······var_account_disable_post_pw_expiration:·0
60 ······var_accounts_passwords_pam_faillock_deny:·360 ······var_accounts_passwords_pam_faillock_deny:·3
61 ······var_accounts_passwords_pam_faillock_unlock_time:·never61 ······var_accounts_passwords_pam_faillock_unlock_time:·never
Offset 72, 17 lines modifiedOffset 72, 17 lines modified
72 ······var_password_pam_difok:·872 ······var_password_pam_difok:·8
73 ······var_password_pam_ocredit:·-173 ······var_password_pam_ocredit:·-1
74 ······var_password_pam_lcredit:·-174 ······var_password_pam_lcredit:·-1
75 ······var_password_pam_ucredit:·-175 ······var_password_pam_ucredit:·-1
76 ······var_password_pam_retry:·376 ······var_password_pam_retry:·3
77 ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)77 ······login_banner_text:·^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U.S.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG-authorized[\s\n]+use[\s\n]+only.[\s\n]*By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\),[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(\\n)*(\n)*-[\s\n]*The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to,[\s\n]+penetration[\s\n]+testing,[\s\n]+COMSEC[\s\n]+monitoring,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\),[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\),[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations.(\\n)*(\n)*-[\s\n]*At[\s\n]+any[\s\n]+time,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS.(\\n)*(\n)*-[\s\n]*Communications[\s\n]+using,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring,[\s\n]+interception,[\s\n]+and[\s\n]+search,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG-authorized[\s\n]+purpose.(\\n)*(\n)*-[\s\n]*This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e.g.,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests--not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy.(\\n)*(\n)*-[\s\n]*Notwithstanding[\s\n]+the[\s\n]+above,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications,[\s\n]+or[\s\n]+work[\s\n]+product,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys,[\s\n]+psychotherapists,[\s\n]+or[\s\n]+clergy,[\s\n]+and[\s\n]+their[\s\n]+assistants.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details.|I\'ve[\s\n]+read[\s\n]+\&[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem\'t$)
78 ······var_accounts_user_umask:·07778 ······var_accounts_user_umask:·077
 79 ······var_accounts_max_concurrent_login_sessions:·10
79 ······var_accounts_fail_delay:·480 ······var_accounts_fail_delay:·4
80 ······var_accounts_tmout:·60081 ······var_accounts_tmout:·600
81 ······var_accounts_max_concurrent_login_sessions:·10 
82 ······var_auditd_action_mail_acct:·root82 ······var_auditd_action_mail_acct:·root
83 ······var_auditd_space_left_action:·email83 ······var_auditd_space_left_action:·email
84 ······var_removable_partition:·/dev/cdrom84 ······var_removable_partition:·/dev/cdrom
85 ···tasks:85 ···tasks:
86 ····-·name:·Ensure·rsh-server·is·removed86 ····-·name:·Ensure·rsh-server·is·removed
87 ······package:87 ······package:
88 ········name="{{item}}"88 ········name="{{item}}"
Offset 250, 14 lines modifiedOffset 250, 33 lines modified
250 ········-·low_disruption250 ········-·low_disruption
251 ········-·CCE-80258-7251 ········-·CCE-80258-7
252 ········-·NIST-800-53-AC-17(8)252 ········-·NIST-800-53-AC-17(8)
253 ········-·NIST-800-53-CM-7253 ········-·NIST-800-53-CM-7
254 ········-·NIST-800-53-CM-6(b)254 ········-·NIST-800-53-CM-6(b)
255 ········-·DISA-STIG-RHEL-07-021300255 ········-·DISA-STIG-RHEL-07-021300
256 ····256 ····
 257 ····-·name:·"Enable·Use·of·Strict·Mode·Checking"
 258 ······lineinfile:
 259 ········create:·yes
 260 ········dest:·/etc/ssh/sshd_config
 261 ········regexp:·(?i)^#?strictmodes
 262 ········line:·StrictModes·yes
 263 ········validate:·sshd·-t·-f·%s
 264 ······#notify:·restart·sshd
 265 ······tags:
 266 ········-·sshd_enable_strictmodes
 267 ········-·medium_severity
 268 ········-·restrict_strategy
 269 ········-·low_complexity
 270 ········-·low_disruption
 271 ········-·CCE-80222-3
 272 ········-·NIST-800-53-AC-6
 273 ········-·NIST-800-171-3.1.12
 274 ········-·DISA-STIG-RHEL-07-040450
 275 ····
257 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"276 ····-·name:·"Disable·SSH·Support·for·User·Known·Hosts"
258 ······lineinfile:277 ······lineinfile:
259 ········create:·yes278 ········create:·yes
260 ········dest:·/etc/ssh/sshd_config279 ········dest:·/etc/ssh/sshd_config
261 ········regexp:·^IgnoreUserKnownHosts280 ········regexp:·^IgnoreUserKnownHosts
262 ········line:·IgnoreUserKnownHosts·yes281 ········line:·IgnoreUserKnownHosts·yes
263 ········validate:·sshd·-t·-f·%s282 ········validate:·sshd·-t·-f·%s
Offset 313, 31 lines modifiedOffset 332, 38 lines modified
313 ········-·NIST-800-53-AC-2(5)332 ········-·NIST-800-53-AC-2(5)
314 ········-·NIST-800-53-SA-8333 ········-·NIST-800-53-SA-8
315 ········-·NIST-800-53-AC-12334 ········-·NIST-800-53-AC-12
316 ········-·NIST-800-171-3.1.11335 ········-·NIST-800-171-3.1.11
317 ········-·CJIS-5.5.6336 ········-·CJIS-5.5.6
318 ········-·DISA-STIG-RHEL-07-040340337 ········-·DISA-STIG-RHEL-07-040340
319 ····338 ····
320 ····-·name:·Disable·SSH·Support·for·Rhosts·RSA·Authentication339 ····
 340 ····
 341 ····-·name:·Set·SSH·Idle·Timeout·Interval
321 ······lineinfile:342 ······lineinfile:
322 ········create:·yes343 ········create:·yes
323 ········dest:·/etc/ssh/sshd_config344 ········dest:·/etc/ssh/sshd_config
324 ········regexp:·^RhostsRSAAuthentication345 ········regexp:·^ClientAliveInterval
325 ········line:·RhostsRSAAuthentication·no346 ········line:·"ClientAliveInterval·{{·sshd_idle_timeout_value·}}"
326 ········validate:·sshd·-t·-f·%s347 ········validate:·sshd·-t·-f·%s
 348 ······#notify:·restart·sshd
327 ······tags:349 ······tags:
328 ········-·sshd_disable_rhosts_rsa350 ········-·sshd_set_idle_timeout
329 ········-·medium_severity351 ········-·unknown_severity
330 ········-·restrict_strategy352 ········-·restrict_strategy
331 ········-·low_complexity353 ········-·low_complexity
332 ········-·low_disruption354 ········-·low_disruption
333 ········-·CCE-80373-4355 ········-·CCE-27433-2
334 ········-·NIST-800-53-CM-6(a)356 ········-·NIST-800-53-AC-2(5)
335 ········-·NIST-800-171-3.1.12357 ········-·NIST-800-53-SA-8(i)
336 ········-·DISA-STIG-RHEL-07-040330358 ········-·NIST-800-53-AC-12
 359 ········-·NIST-800-171-3.1.11
 360 ········-·PCI-DSS-Req-8.1.8
 361 ········-·CJIS-5.5.6
 362 ········-·DISA-STIG-RHEL-07-040320
337 ····363 ····
338 ····-·name:·Enable·SSH·Warning·Banner364 ····-·name:·Enable·SSH·Warning·Banner
339 ······lineinfile:365 ······lineinfile:
340 ········create:·yes366 ········create:·yes
341 ········dest:·/etc/ssh/sshd_config367 ········dest:·/etc/ssh/sshd_config
342 ········regexp:·^Banner368 ········regexp:·^Banner
343 ········line:·Banner·/etc/issue369 ········line:·Banner·/etc/issue
Offset 377, 33 lines modifiedOffset 403, 14 lines modified
377 ········-·NIST-800-53-IA-7403 ········-·NIST-800-53-IA-7
378 ········-·NIST-800-53-SC-13404 ········-·NIST-800-53-SC-13
379 ········-·NIST-800-171-3.1.13405 ········-·NIST-800-171-3.1.13
380 ········-·NIST-800-171-3.13.11406 ········-·NIST-800-171-3.13.11
381 ········-·NIST-800-171-3.13.8407 ········-·NIST-800-171-3.13.8
382 ········-·DISA-STIG-RHEL-07-040400408 ········-·DISA-STIG-RHEL-07-040400
383 ····409 ····
384 ····-·name:·Do·Not·Allow·SSH·Environment·Options 
385 ······lineinfile: 
386 ········create:·yes 
387 ········dest:·/etc/ssh/sshd_config 
388 ········regexp:·^PermitUserEnvironment 
389 ········line:·PermitUserEnvironment·no 
390 ········validate:·sshd·-t·-f·%s 
Max diff block lines reached; 106151/113585 bytes (93.46%) of diff not shown.
329 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-C2S.sh
    
Offset 27, 17 lines modifiedOffset 27, 17 lines modified
27 #27 #
28 #·How·to·apply·this·remediation·role:28 #·How·to·apply·this·remediation·role:
29 #·$·sudo·./remediation-role.sh29 #·$·sudo·./remediation-role.sh
30 #30 #
31 ###############################################################################31 ###############################################################################
  
32 ###############################################################################32 ###############################################################################
33 #·BEGIN·fix·(1·/·188)·for·'package_samba_removed'33 #·BEGIN·fix·(1·/·188)·for·'package_vsftpd_removed'
34 ###############################################################################34 ###############################################################################
35 (>&2·echo·"Remediating·rule·1/188:·'package_samba_removed'")35 (>&2·echo·"Remediating·rule·1/188:·'package_vsftpd_removed'")
36 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.36 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
37 #37 #
38 #·Example·Call(s):38 #·Example·Call(s):
39 #39 #
40 #·····package_remove·telnet-server40 #·····package_remove·telnet-server
41 #41 #
42 function·package_remove·{42 function·package_remove·{
Offset 67, 16 lines modifiedOffset 67, 16 lines modified
67 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"67 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
68 ··echo·"Aborting."68 ··echo·"Aborting."
69 ··exit·169 ··exit·1
70 fi70 fi
  
71 }71 }
  
72 package_remove·samba72 package_remove·vsftpd
73 #·END·fix·for·'package_samba_removed'73 #·END·fix·for·'package_vsftpd_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed'75 #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'")77 (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'")
78 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.78 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
79 #79 #
Offset 115, 24 lines modifiedOffset 115, 61 lines modified
  
115 }115 }
  
116 package_remove·httpd116 package_remove·httpd
117 #·END·fix·for·'package_httpd_removed'117 #·END·fix·for·'package_httpd_removed'
  
118 ###############################################################################118 ###############################################################################
119 #·BEGIN·fix·(3·/·188)·for·'postfix_network_listening_disabled'119 #·BEGIN·fix·(3·/·188)·for·'package_bind_removed'
120 ###############################################################################120 ###############################################################################
121 (>&2·echo·"Remediating·rule·3/188:·'postfix_network_listening_disabled'")121 (>&2·echo·"Remediating·rule·3/188:·'package_bind_removed'")
122 #·FIX·FOR·THIS·RULE·IS·MISSING122 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
123 #·END·fix·for·'postfix_network_listening_disabled'123 #
 124 #·Example·Call(s):
 125 #
 126 #·····package_remove·telnet-server
 127 #
 128 function·package_remove·{
  
 129 #·Load·function·arguments·into·local·variables
 130 local·package="$1"
  
 131 #·Check·sanity·of·the·input
 132 if·[·$#·-ne·"1"·]
 133 then
 134 ··echo·"Usage:·package_remove·'package_name'"
 135 ··echo·"Aborting."
 136 ··exit·1
 137 fi
  
 138 if·which·dnf·;·then
 139 ··if·rpm·-q·--quiet·"$package";·then
 140 ····dnf·remove·-y·"$package"
 141 ··fi
 142 elif·which·yum·;·then
 143 ··if·rpm·-q·--quiet·"$package";·then
 144 ····yum·remove·-y·"$package"
 145 ··fi
 146 elif·which·apt-get·;·then
 147 ··apt-get·remove·-y·"$package"
 148 else
 149 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 150 ··echo·"Aborting."
 151 ··exit·1
 152 fi
  
 153 }
  
 154 package_remove·bind
 155 #·END·fix·for·'package_bind_removed'
  
124 ###############################################################################156 ###############################################################################
125 #·BEGIN·fix·(4·/·188)·for·'package_dhcp_removed'157 #·BEGIN·fix·(4·/·188)·for·'package_samba_removed'
126 ###############################################################################158 ###############################################################################
127 (>&2·echo·"Remediating·rule·4/188:·'package_dhcp_removed'")159 (>&2·echo·"Remediating·rule·4/188:·'package_samba_removed'")
128 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.160 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
129 #161 #
130 #·Example·Call(s):162 #·Example·Call(s):
131 #163 #
132 #·····package_remove·telnet-server164 #·····package_remove·telnet-server
133 #165 #
134 function·package_remove·{166 function·package_remove·{
Offset 162, 16 lines modifiedOffset 199, 16 lines modified
162 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"199 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
163 ··echo·"Aborting."200 ··echo·"Aborting."
164 ··exit·1201 ··exit·1
165 fi202 fi
  
166 }203 }
  
167 package_remove·dhcp204 package_remove·samba
168 #·END·fix·for·'package_dhcp_removed'205 #·END·fix·for·'package_samba_removed'
  
169 ###############################################################################206 ###############################################################################
170 #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled'207 #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled'
171 ###############################################################################208 ###############################################################################
172 (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'")209 (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'")
173 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.210 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
174 #211 #
Offset 262, 17 lines modifiedOffset 299, 105 lines modified
262 #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server'299 #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server'
263 ###############################################################################300 ###############################################################################
264 (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'")301 (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'")
265 #·FIX·FOR·THIS·RULE·IS·MISSING302 #·FIX·FOR·THIS·RULE·IS·MISSING
266 #·END·fix·for·'ntpd_specify_remote_server'303 #·END·fix·for·'ntpd_specify_remote_server'
  
267 ###############################################################################304 ###############################################################################
268 #·BEGIN·fix·(8·/·188)·for·'service_cups_disabled'305 #·BEGIN·fix·(8·/·188)·for·'package_openldap-servers_removed'
269 ###############################################################################306 ###############################################################################
270 (>&2·echo·"Remediating·rule·8/188:·'service_cups_disabled'")307 (>&2·echo·"Remediating·rule·8/188:·'package_openldap-servers_removed'")
 308 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 309 #
 310 #·Example·Call(s):
Max diff block lines reached; 329997/337019 bytes (97.92%) of diff not shown.
437 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-CS2.sh
    
Offset 18, 17 lines modifiedOffset 18, 31 lines modified
18 #18 #
19 #·How·to·apply·this·remediation·role:19 #·How·to·apply·this·remediation·role:
20 #·$·sudo·./remediation-role.sh20 #·$·sudo·./remediation-role.sh
21 #21 #
22 ###############################################################################22 ###############################################################################
  
23 ###############################################################################23 ###############################################################################
24 #·BEGIN·fix·(1·/·313)·for·'service_smb_disabled'24 #·BEGIN·fix·(1·/·313)·for·'ftp_log_transactions'
25 ###############################################################################25 ###############################################################################
26 (>&2·echo·"Remediating·rule·1/313:·'service_smb_disabled'")26 (>&2·echo·"Remediating·rule·1/313:·'ftp_log_transactions'")
 27 #·FIX·FOR·THIS·RULE·IS·MISSING
 28 #·END·fix·for·'ftp_log_transactions'
  
 29 ###############################################################################
 30 #·BEGIN·fix·(2·/·313)·for·'ftp_present_banner'
 31 ###############################################################################
 32 (>&2·echo·"Remediating·rule·2/313:·'ftp_present_banner'")
 33 #·FIX·FOR·THIS·RULE·IS·MISSING
 34 #·END·fix·for·'ftp_present_banner'
  
 35 ###############################################################################
 36 #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled'
 37 ###############################################################################
 38 (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'")
27 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.39 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
28 #40 #
29 #·Example·Call(s):41 #·Example·Call(s):
30 #42 #
31 #·····service_command·enable·bluetooth43 #·····service_command·enable·bluetooth
32 #·····service_command·disable·bluetooth.service44 #·····service_command·disable·bluetooth.service
33 #45 #
Offset 96, 49 lines modifiedOffset 110, 60 lines modified
96 ··else110 ··else
97 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd111 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
98 ··fi112 ··fi
99 fi113 fi
  
100 }114 }
  
101 service_command·disable·smb115 service_command·disable·vsftpd
102 #·END·fix·for·'service_smb_disabled'116 #·END·fix·for·'service_vsftpd_disabled'
  
103 ###############################################################################117 ###############################################################################
104 #·BEGIN·fix·(2·/·313)·for·'smb_server_disable_root'118 #·BEGIN·fix·(4·/·313)·for·'package_vsftpd_removed'
105 ###############################################################################119 ###############################################################################
106 (>&2·echo·"Remediating·rule·2/313:·'smb_server_disable_root'")120 (>&2·echo·"Remediating·rule·4/313:·'package_vsftpd_removed'")
107 #·FIX·FOR·THIS·RULE·IS·MISSING121 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
108 #·END·fix·for·'smb_server_disable_root'122 #
 123 #·Example·Call(s):
 124 #
 125 #·····package_remove·telnet-server
 126 #
 127 function·package_remove·{
  
109 ###############################################################################128 #·Load·function·arguments·into·local·variables
110 #·BEGIN·fix·(3·/·313)·for·'require_smb_client_signing'129 local·package="$1"
111 ############################################################################### 
112 (>&2·echo·"Remediating·rule·3/313:·'require_smb_client_signing'") 
113 ###################################################################### 
114 #By·Luke·"Brisk-OH"·Brisk 
115 #luke.brisk@boeing.com·or·luke.brisk@gmail.com 
116 ###################################################################### 
  
117 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)130 #·Check·sanity·of·the·input
 131 if·[·$#·-ne·"1"·]
 132 then
 133 ··echo·"Usage:·package_remove·'package_name'"
 134 ··echo·"Aborting."
 135 ··exit·1
 136 fi
  
118 if·[·"$CLIENTSIGNING"·-eq·0·];··then137 if·which·dnf·;·then
119 »       #·Add·to·global·section138 ··if·rpm·-q·--quiet·"$package";·then
120 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf139 ····dnf·remove·-y·"$package"
 140 ··fi
 141 elif·which·yum·;·then
 142 ··if·rpm·-q·--quiet·"$package";·then
 143 ····yum·remove·-y·"$package"
 144 ··fi
 145 elif·which·apt-get·;·then
 146 ··apt-get·remove·-y·"$package"
121 else147 else
122 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf148 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 149 ··echo·"Aborting."
 150 ··exit·1
123 fi151 fi
124 #·END·fix·for·'require_smb_client_signing' 
  
125 ###############################################################################152 }
126 #·BEGIN·fix·(4·/·313)·for·'mount_option_smb_client_signing' 
127 ###############################################################################153 package_remove·vsftpd
128 (>&2·echo·"Remediating·rule·4/313:·'mount_option_smb_client_signing'")154 #·END·fix·for·'package_vsftpd_removed'
129 #·FIX·FOR·THIS·RULE·IS·MISSING 
130 #·END·fix·for·'mount_option_smb_client_signing' 
  
131 ###############################################################################155 ###############################################################################
132 #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed'156 #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed'
133 ###############################################################################157 ###############################################################################
134 (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'")158 (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'")
135 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.159 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
136 #160 #
Offset 248, 94 lines modifiedOffset 273, 183 lines modified
248 #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support'273 #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support'
249 ###############################################################################274 ###############################################################################
250 (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'")275 (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'")
251 #·FIX·FOR·THIS·RULE·IS·MISSING276 #·FIX·FOR·THIS·RULE·IS·MISSING
252 #·END·fix·for·'httpd_ldap_support'277 #·END·fix·for·'httpd_ldap_support'
  
253 ###############################################################################278 ###############################################################################
254 #·BEGIN·fix·(16·/·313)·for·'httpd_mime_magic'279 #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support'
255 ###############################################################################280 ###############################################################################
256 (>&2·echo·"Remediating·rule·16/313:·'httpd_mime_magic'")281 (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'")
257 #·FIX·FOR·THIS·RULE·IS·MISSING282 #·FIX·FOR·THIS·RULE·IS·MISSING
258 #·END·fix·for·'httpd_mime_magic'283 #·END·fix·for·'httpd_cgi_support'
  
259 ###############################################################################284 ###############################################################################
260 #·BEGIN·fix·(17·/·313)·for·'httpd_digest_authentication'285 #·BEGIN·fix·(17·/·313)·for·'httpd_url_correction'
261 ###############################################################################286 ###############################################################################
262 (>&2·echo·"Remediating·rule·17/313:·'httpd_digest_authentication'")287 (>&2·echo·"Remediating·rule·17/313:·'httpd_url_correction'")
263 #·FIX·FOR·THIS·RULE·IS·MISSING288 #·FIX·FOR·THIS·RULE·IS·MISSING
264 #·END·fix·for·'httpd_digest_authentication'289 #·END·fix·for·'httpd_url_correction'
  
265 ###############################################################################290 ###############################################################################
266 #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status'291 #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status'
267 ###############################################################################292 ###############################################################################
268 (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'")293 (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'")
269 #·FIX·FOR·THIS·RULE·IS·MISSING294 #·FIX·FOR·THIS·RULE·IS·MISSING
Max diff block lines reached; 441404/447704 bytes (98.59%) of diff not shown.
292 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-CSCF-RHEL6-MLS.sh
    
Offset 23, 46 lines modifiedOffset 23, 99 lines modified
23 #23 #
24 #·How·to·apply·this·remediation·role:24 #·How·to·apply·this·remediation·role:
25 #·$·sudo·./remediation-role.sh25 #·$·sudo·./remediation-role.sh
26 #26 #
27 ###############################################################################27 ###############################################################################
  
28 ###############################################################################28 ###############################################################################
29 #·BEGIN·fix·(1·/·215)·for·'httpd_servertokens_prod'29 #·BEGIN·fix·(1·/·215)·for·'service_vsftpd_disabled'
30 ###############################################################################30 ###############################################################################
31 (>&2·echo·"Remediating·rule·1/215:·'httpd_servertokens_prod'")31 (>&2·echo·"Remediating·rule·1/215:·'service_vsftpd_disabled'")
32 #·FIX·FOR·THIS·RULE·IS·MISSING32 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
33 #·END·fix·for·'httpd_servertokens_prod'33 #
 34 #·Example·Call(s):
 35 #
 36 #·····service_command·enable·bluetooth
 37 #·····service_command·disable·bluetooth.service
 38 #
 39 #·····Using·xinetd:
 40 #·····service_command·disable·rsh.socket·xinetd=rsh
 41 #
 42 function·service_command·{
  
34 ###############################################################################43 #·Load·function·arguments·into·local·variables
35 #·BEGIN·fix·(2·/·215)·for·'file_permissions_httpd_server_conf_files'44 local·service_state=$1
36 ###############################################################################45 local·service=$2
37 (>&2·echo·"Remediating·rule·2/215:·'file_permissions_httpd_server_conf_files'")46 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
38 chmod·0640·/etc/httpd/conf/*47 #·Check·sanity·of·the·input
39 #·END·fix·for·'file_permissions_httpd_server_conf_files'48 if·[·$#·-lt·"2"·]
 49 then
 50 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 51 ··echo
 52 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 53 ··echo·"as·the·last·argument"··
 54 ··echo·"Aborting."
 55 ··exit·1
 56 fi
  
40 ###############################################################################57 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
41 #·BEGIN·fix·(3·/·215)·for·'dir_perms_var_log_httpd'58 if·[·-f·"/usr/bin/systemctl"·]·;·then
42 ###############################################################################59 ··service_util="/usr/bin/systemctl"
43 (>&2·echo·"Remediating·rule·3/215:·'dir_perms_var_log_httpd'")60 else
44 #·FIX·FOR·THIS·RULE·IS·MISSING61 ··service_util="/sbin/service"
45 #·END·fix·for·'dir_perms_var_log_httpd'62 ··chkconfig_util="/sbin/chkconfig"
 63 fi
  
46 ###############################################################################64 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
47 #·BEGIN·fix·(4·/·215)·for·'postfix_network_listening_disabled'65 #·Otherwise,·variables·are·to·be·set·to·disable·services.
48 ###############################################################################66 if·[·"$service_state"·!=·'disable'·]·;·then
49 (>&2·echo·"Remediating·rule·4/215:·'postfix_network_listening_disabled'")67 ··service_state="enable"
50 #·FIX·FOR·THIS·RULE·IS·MISSING68 ··service_operation="start"
51 #·END·fix·for·'postfix_network_listening_disabled'69 ··chkconfig_state="on"
 70 else
 71 ··service_state="disable"
 72 ··service_operation="stop"
 73 ··chkconfig_state="off"
 74 fi
  
 75 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 76 if·[·"x$chkconfig_util"·!=·x·]·;·then
 77 ··$service_util·$service·$service_operation
 78 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 79 else
 80 ··$service_util·$service_operation·$service
 81 ··$service_util·$service_state·$service
 82 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 83 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 84 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 85 ··$service_util·reset-failed·$service
 86 fi
  
 87 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 88 #·If·empty,·then·xinetd·is·not·being·used.
 89 if·[·"x$xinetd"·!=·x·]·;·then
 90 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 91 ··if·[·"$service_operation"·=·'disable'·]·;·then
 92 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 93 ··else
 94 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 95 ··fi
 96 fi
  
 97 }
  
 98 service_command·disable·vsftpd
 99 #·END·fix·for·'service_vsftpd_disabled'
  
52 ###############################################################################100 ###############################################################################
53 #·BEGIN·fix·(5·/·215)·for·'package_sendmail_removed'101 #·BEGIN·fix·(2·/·215)·for·'package_vsftpd_removed'
54 ###############################################################################102 ###############################################################################
55 (>&2·echo·"Remediating·rule·5/215:·'package_sendmail_removed'")103 (>&2·echo·"Remediating·rule·2/215:·'package_vsftpd_removed'")
56 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.104 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
57 #105 #
58 #·Example·Call(s):106 #·Example·Call(s):
59 #107 #
60 #·····package_remove·telnet-server108 #·····package_remove·telnet-server
61 #109 #
62 function·package_remove·{110 function·package_remove·{
Offset 92, 49 lines modifiedOffset 145, 132 lines modified
92 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"145 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
93 ··echo·"Aborting."146 ··echo·"Aborting."
94 ··exit·1147 ··exit·1
95 fi148 fi
  
96 }149 }
  
97 package_remove·sendmail150 package_remove·vsftpd
98 #·END·fix·for·'package_sendmail_removed'151 #·END·fix·for·'package_vsftpd_removed'
  
99 ###############################################################################152 ###############################################################################
100 #·BEGIN·fix·(6·/·215)·for·'sysconfig_networking_bootproto_ifcfg'153 #·BEGIN·fix·(3·/·215)·for·'httpd_servertokens_prod'
101 ###############################################################################154 ###############################################################################
102 (>&2·echo·"Remediating·rule·6/215:·'sysconfig_networking_bootproto_ifcfg'")155 (>&2·echo·"Remediating·rule·3/215:·'httpd_servertokens_prod'")
103 #·FIX·FOR·THIS·RULE·IS·MISSING156 #·FIX·FOR·THIS·RULE·IS·MISSING
104 #·END·fix·for·'sysconfig_networking_bootproto_ifcfg'157 #·END·fix·for·'httpd_servertokens_prod'
  
105 ###############################################################################158 ###############################################################################
106 #·BEGIN·fix·(7·/·215)·for·'dhcp_server_deny_decline'159 #·BEGIN·fix·(4·/·215)·for·'file_permissions_httpd_server_conf_files'
107 ###############################################################################160 ###############################################################################
108 (>&2·echo·"Remediating·rule·7/215:·'dhcp_server_deny_decline'")161 (>&2·echo·"Remediating·rule·4/215:·'file_permissions_httpd_server_conf_files'")
109 #·FIX·FOR·THIS·RULE·IS·MISSING 
110 #·END·fix·for·'dhcp_server_deny_decline'162 chmod·0640·/etc/httpd/conf/*
 163 #·END·fix·for·'file_permissions_httpd_server_conf_files'
  
111 ###############################################################################164 ###############################################################################
112 #·BEGIN·fix·(8·/·215)·for·'dhcp_server_disable_ddns'165 #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd'
Max diff block lines reached; 292875/299278 bytes (97.86%) of diff not shown.
321 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-desktop.sh
    
Offset 19, 17 lines modifiedOffset 19, 17 lines modified
19 #19 #
20 #·How·to·apply·this·remediation·role:20 #·How·to·apply·this·remediation·role:
21 #·$·sudo·./remediation-role.sh21 #·$·sudo·./remediation-role.sh
22 #22 #
23 ###############################################################################23 ###############################################################################
  
24 ###############################################################################24 ###############################################################################
25 #·BEGIN·fix·(1·/·206)·for·'service_smb_disabled'25 #·BEGIN·fix·(1·/·206)·for·'service_vsftpd_disabled'
26 ###############################################################################26 ###############################################################################
27 (>&2·echo·"Remediating·rule·1/206:·'service_smb_disabled'")27 (>&2·echo·"Remediating·rule·1/206:·'service_vsftpd_disabled'")
28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
29 #29 #
30 #·Example·Call(s):30 #·Example·Call(s):
31 #31 #
32 #·····service_command·enable·bluetooth32 #·····service_command·enable·bluetooth
33 #·····service_command·disable·bluetooth.service33 #·····service_command·disable·bluetooth.service
34 #34 #
Offset 97, 47 lines modifiedOffset 97, 65 lines modified
97 ··else97 ··else
98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
99 ··fi99 ··fi
100 fi100 fi
  
101 }101 }
  
102 service_command·disable·smb102 service_command·disable·vsftpd
103 #·END·fix·for·'service_smb_disabled'103 #·END·fix·for·'service_vsftpd_disabled'
  
104 ###############################################################################104 ###############################################################################
105 #·BEGIN·fix·(2·/·206)·for·'require_smb_client_signing'105 #·BEGIN·fix·(2·/·206)·for·'package_vsftpd_removed'
106 ###############################################################################106 ###############################################################################
107 (>&2·echo·"Remediating·rule·2/206:·'require_smb_client_signing'")107 (>&2·echo·"Remediating·rule·2/206:·'package_vsftpd_removed'")
108 ######################################################################108 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
109 #By·Luke·"Brisk-OH"·Brisk109 #
110 #luke.brisk@boeing.com·or·luke.brisk@gmail.com110 #·Example·Call(s):
111 ######################################################################111 #
 112 #·····package_remove·telnet-server
 113 #
 114 function·package_remove·{
  
112 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)115 #·Load·function·arguments·into·local·variables
 116 local·package="$1"
  
113 if·[·"$CLIENTSIGNING"·-eq·0·];··then117 #·Check·sanity·of·the·input
114 »       #·Add·to·global·section118 if·[·$#·-ne·"1"·]
115 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf119 then
 120 ··echo·"Usage:·package_remove·'package_name'"
 121 ··echo·"Aborting."
 122 ··exit·1
 123 fi
  
 124 if·which·dnf·;·then
 125 ··if·rpm·-q·--quiet·"$package";·then
 126 ····dnf·remove·-y·"$package"
 127 ··fi
 128 elif·which·yum·;·then
 129 ··if·rpm·-q·--quiet·"$package";·then
 130 ····yum·remove·-y·"$package"
 131 ··fi
 132 elif·which·apt-get·;·then
 133 ··apt-get·remove·-y·"$package"
116 else134 else
117 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf135 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 136 ··echo·"Aborting."
 137 ··exit·1
118 fi138 fi
119 #·END·fix·for·'require_smb_client_signing' 
  
120 ###############################################################################139 }
121 #·BEGIN·fix·(3·/·206)·for·'mount_option_smb_client_signing' 
122 ###############################################################################140 package_remove·vsftpd
123 (>&2·echo·"Remediating·rule·3/206:·'mount_option_smb_client_signing'")141 #·END·fix·for·'package_vsftpd_removed'
124 #·FIX·FOR·THIS·RULE·IS·MISSING 
125 #·END·fix·for·'mount_option_smb_client_signing' 
  
126 ###############################################################################142 ###############################################################################
127 #·BEGIN·fix·(4·/·206)·for·'service_httpd_disabled'143 #·BEGIN·fix·(3·/·206)·for·'service_httpd_disabled'
128 ###############################################################################144 ###############################################################################
129 (>&2·echo·"Remediating·rule·4/206:·'service_httpd_disabled'")145 (>&2·echo·"Remediating·rule·3/206:·'service_httpd_disabled'")
130 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.146 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
131 #147 #
132 #·Example·Call(s):148 #·Example·Call(s):
133 #149 #
134 #·····service_command·enable·bluetooth150 #·····service_command·enable·bluetooth
135 #·····service_command·disable·bluetooth.service151 #·····service_command·disable·bluetooth.service
136 #152 #
Offset 209, 17 lines modifiedOffset 227, 17 lines modified
  
209 }227 }
  
210 service_command·disable·httpd228 service_command·disable·httpd
211 #·END·fix·for·'service_httpd_disabled'229 #·END·fix·for·'service_httpd_disabled'
  
212 ###############################################################################230 ###############################################################################
213 #·BEGIN·fix·(5·/·206)·for·'package_httpd_removed'231 #·BEGIN·fix·(4·/·206)·for·'package_httpd_removed'
214 ###############################################################################232 ###############################################################################
215 (>&2·echo·"Remediating·rule·5/206:·'package_httpd_removed'")233 (>&2·echo·"Remediating·rule·4/206:·'package_httpd_removed'")
216 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.234 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
217 #235 #
218 #·Example·Call(s):236 #·Example·Call(s):
219 #237 #
220 #·····package_remove·telnet-server238 #·····package_remove·telnet-server
221 #239 #
222 function·package_remove·{240 function·package_remove·{
Offset 253, 24 lines modifiedOffset 271, 99 lines modified
  
253 }271 }
  
254 package_remove·httpd272 package_remove·httpd
255 #·END·fix·for·'package_httpd_removed'273 #·END·fix·for·'package_httpd_removed'
  
256 ###############################################################################274 ###############################################################################
257 #·BEGIN·fix·(6·/·206)·for·'postfix_network_listening_disabled'275 #·BEGIN·fix·(5·/·206)·for·'service_named_disabled'
258 ###############################################################################276 ###############################################################################
259 (>&2·echo·"Remediating·rule·6/206:·'postfix_network_listening_disabled'")277 (>&2·echo·"Remediating·rule·5/206:·'service_named_disabled'")
260 #·FIX·FOR·THIS·RULE·IS·MISSING278 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
261 #·END·fix·for·'postfix_network_listening_disabled'279 #
 280 #·Example·Call(s):
 281 #
 282 #·····service_command·enable·bluetooth
 283 #·····service_command·disable·bluetooth.service
 284 #
 285 #·····Using·xinetd:
 286 #·····service_command·disable·rsh.socket·xinetd=rsh
 287 #
 288 function·service_command·{
  
Max diff block lines reached; 321323/328772 bytes (97.73%) of diff not shown.
325 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-fisma-medium-rhel6-server.sh
    
Offset 114, 17 lines modifiedOffset 114, 181 lines modified
114 #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server'114 #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server'
115 ###############################################################################115 ###############################################################################
116 (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'")116 (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'")
117 #·FIX·FOR·THIS·RULE·IS·MISSING117 #·FIX·FOR·THIS·RULE·IS·MISSING
118 #·END·fix·for·'ntpd_specify_remote_server'118 #·END·fix·for·'ntpd_specify_remote_server'
  
119 ###############################################################################119 ###############################################################################
120 #·BEGIN·fix·(4·/·211)·for·'package_rsh_removed'120 #·BEGIN·fix·(4·/·211)·for·'service_crond_enabled'
121 ###############################################################################121 ###############################################################################
122 (>&2·echo·"Remediating·rule·4/211:·'package_rsh_removed'")122 (>&2·echo·"Remediating·rule·4/211:·'service_crond_enabled'")
 123 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 124 #
 125 #·Example·Call(s):
 126 #
 127 #·····service_command·enable·bluetooth
 128 #·····service_command·disable·bluetooth.service
 129 #
 130 #·····Using·xinetd:
 131 #·····service_command·disable·rsh.socket·xinetd=rsh
 132 #
 133 function·service_command·{
  
 134 #·Load·function·arguments·into·local·variables
 135 local·service_state=$1
 136 local·service=$2
 137 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 138 #·Check·sanity·of·the·input
 139 if·[·$#·-lt·"2"·]
 140 then
 141 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 142 ··echo
 143 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 144 ··echo·"as·the·last·argument"··
 145 ··echo·"Aborting."
 146 ··exit·1
 147 fi
  
 148 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 149 if·[·-f·"/usr/bin/systemctl"·]·;·then
 150 ··service_util="/usr/bin/systemctl"
 151 else
 152 ··service_util="/sbin/service"
 153 ··chkconfig_util="/sbin/chkconfig"
 154 fi
  
 155 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 156 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 157 if·[·"$service_state"·!=·'disable'·]·;·then
 158 ··service_state="enable"
 159 ··service_operation="start"
 160 ··chkconfig_state="on"
 161 else
 162 ··service_state="disable"
 163 ··service_operation="stop"
 164 ··chkconfig_state="off"
 165 fi
  
 166 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 167 if·[·"x$chkconfig_util"·!=·x·]·;·then
 168 ··$service_util·$service·$service_operation
 169 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 170 else
 171 ··$service_util·$service_operation·$service
 172 ··$service_util·$service_state·$service
 173 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 174 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 175 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 176 ··$service_util·reset-failed·$service
 177 fi
  
 178 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 179 #·If·empty,·then·xinetd·is·not·being·used.
 180 if·[·"x$xinetd"·!=·x·]·;·then
 181 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 182 ··if·[·"$service_operation"·=·'disable'·]·;·then
 183 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 184 ··else
 185 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 186 ··fi
 187 fi
  
 188 }
  
 189 service_command·enable·crond
 190 #·END·fix·for·'service_crond_enabled'
  
 191 ###############################################################################
 192 #·BEGIN·fix·(5·/·211)·for·'service_atd_disabled'
 193 ###############################################################################
 194 (>&2·echo·"Remediating·rule·5/211:·'service_atd_disabled'")
 195 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 196 #
 197 #·Example·Call(s):
 198 #
 199 #·····service_command·enable·bluetooth
 200 #·····service_command·disable·bluetooth.service
 201 #
 202 #·····Using·xinetd:
 203 #·····service_command·disable·rsh.socket·xinetd=rsh
 204 #
 205 function·service_command·{
  
 206 #·Load·function·arguments·into·local·variables
 207 local·service_state=$1
 208 local·service=$2
 209 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 210 #·Check·sanity·of·the·input
 211 if·[·$#·-lt·"2"·]
 212 then
 213 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 214 ··echo
 215 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 216 ··echo·"as·the·last·argument"··
 217 ··echo·"Aborting."
 218 ··exit·1
 219 fi
  
 220 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 221 if·[·-f·"/usr/bin/systemctl"·]·;·then
 222 ··service_util="/usr/bin/systemctl"
 223 else
 224 ··service_util="/sbin/service"
 225 ··chkconfig_util="/sbin/chkconfig"
 226 fi
Max diff block lines reached; 326691/332694 bytes (98.20%) of diff not shown.
286 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-ftp-server.sh
    
Offset 18, 17 lines modifiedOffset 18, 96 lines modified
18 #18 #
19 #·How·to·apply·this·remediation·role:19 #·How·to·apply·this·remediation·role:
20 #·$·sudo·./remediation-role.sh20 #·$·sudo·./remediation-role.sh
21 #21 #
22 ###############################################################################22 ###############################################################################
  
23 ###############################################################################23 ###############################################################################
24 #·BEGIN·fix·(1·/·192)·for·'require_smb_client_signing'24 #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon'
25 ###############################################################################25 ###############################################################################
26 (>&2·echo·"Remediating·rule·1/192:·'require_smb_client_signing'")26 (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'")
 27 #·FIX·FOR·THIS·RULE·IS·MISSING
 28 #·END·fix·for·'ftp_restrict_to_anon'
  
 29 ###############################################################################
 30 #·BEGIN·fix·(2·/·192)·for·'ftp_home_partition'
 31 ###############################################################################
 32 (>&2·echo·"Remediating·rule·2/192:·'ftp_home_partition'")
 33 #·FIX·FOR·THIS·RULE·IS·MISSING
 34 #·END·fix·for·'ftp_home_partition'
  
 35 ###############################################################################
 36 #·BEGIN·fix·(3·/·192)·for·'ftp_log_transactions'
 37 ###############################################################################
 38 (>&2·echo·"Remediating·rule·3/192:·'ftp_log_transactions'")
 39 #·FIX·FOR·THIS·RULE·IS·MISSING
 40 #·END·fix·for·'ftp_log_transactions'
  
 41 ###############################################################################
 42 #·BEGIN·fix·(4·/·192)·for·'ftp_disable_uploads'
 43 ###############################################################################
 44 (>&2·echo·"Remediating·rule·4/192:·'ftp_disable_uploads'")
 45 #·FIX·FOR·THIS·RULE·IS·MISSING
 46 #·END·fix·for·'ftp_disable_uploads'
  
 47 ###############################################################################
 48 #·BEGIN·fix·(5·/·192)·for·'ftp_present_banner'
 49 ###############################################################################
 50 (>&2·echo·"Remediating·rule·5/192:·'ftp_present_banner'")
 51 #·FIX·FOR·THIS·RULE·IS·MISSING
 52 #·END·fix·for·'ftp_present_banner'
  
 53 ###############################################################################
 54 #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed'
 55 ###############################################################################
 56 (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'")
 57 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 58 #
 59 #·Example·Call(s):
 60 #
 61 #·····package_install·aide
 62 #
 63 function·package_install·{
  
 64 #·Load·function·arguments·into·local·variables
 65 local·package="$1"
  
 66 #·Check·sanity·of·the·input
 67 if·[·$#·-ne·"1"·]
 68 then
 69 ··echo·"Usage:·package_install·'package_name'"
 70 ··echo·"Aborting."
 71 ··exit·1
 72 fi
  
 73 if·which·dnf·;·then
 74 ··if·!·rpm·-q·--quiet·"$package";·then
 75 ····dnf·install·-y·"$package"
 76 ··fi
 77 elif·which·yum·;·then
 78 ··if·!·rpm·-q·--quiet·"$package";·then
 79 ····yum·install·-y·"$package"
 80 ··fi
 81 elif·which·apt-get·;·then
 82 ··apt-get·install·-y·"$package"
 83 else
 84 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 85 ··echo·"Aborting."
 86 ··exit·1
 87 fi
  
 88 }
  
 89 package_install·vsftpd
 90 #·END·fix·for·'package_vsftpd_installed'
  
 91 ###############################################################################
 92 #·BEGIN·fix·(7·/·192)·for·'require_smb_client_signing'
 93 ###############################################################################
 94 (>&2·echo·"Remediating·rule·7/192:·'require_smb_client_signing'")
27 ######################################################################95 ######################################################################
28 #By·Luke·"Brisk-OH"·Brisk96 #By·Luke·"Brisk-OH"·Brisk
29 #luke.brisk@boeing.com·or·luke.brisk@gmail.com97 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
30 ######################################################################98 ######################################################################
  
31 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)99 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
Offset 37, 38 lines modifiedOffset 116, 24 lines modified
37 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf116 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
38 else117 else
39 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf118 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
40 fi119 fi
41 #·END·fix·for·'require_smb_client_signing'120 #·END·fix·for·'require_smb_client_signing'
  
42 ###############################################################################121 ###############################################################################
43 #·BEGIN·fix·(2·/·192)·for·'mount_option_smb_client_signing'122 #·BEGIN·fix·(8·/·192)·for·'mount_option_smb_client_signing'
44 ###############################################################################123 ###############################################################################
45 (>&2·echo·"Remediating·rule·2/192:·'mount_option_smb_client_signing'")124 (>&2·echo·"Remediating·rule·8/192:·'mount_option_smb_client_signing'")
46 #·FIX·FOR·THIS·RULE·IS·MISSING125 #·FIX·FOR·THIS·RULE·IS·MISSING
47 #·END·fix·for·'mount_option_smb_client_signing'126 #·END·fix·for·'mount_option_smb_client_signing'
  
48 ###############################################################################127 ###############################################################################
49 #·BEGIN·fix·(3·/·192)·for·'postfix_network_listening_disabled'128 #·BEGIN·fix·(9·/·192)·for·'service_ntpd_enabled'
50 ############################################################################### 
51 (>&2·echo·"Remediating·rule·3/192:·'postfix_network_listening_disabled'") 
52 #·FIX·FOR·THIS·RULE·IS·MISSING 
53 #·END·fix·for·'postfix_network_listening_disabled' 
  
54 ############################################################################### 
55 #·BEGIN·fix·(4·/·192)·for·'sysconfig_networking_bootproto_ifcfg' 
56 ############################################################################### 
57 (>&2·echo·"Remediating·rule·4/192:·'sysconfig_networking_bootproto_ifcfg'") 
58 #·FIX·FOR·THIS·RULE·IS·MISSING 
59 #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' 
  
60 ############################################################################### 
61 #·BEGIN·fix·(5·/·192)·for·'service_ntpd_enabled' 
62 ###############################################################################129 ###############################################################################
Max diff block lines reached; 286922/292683 bytes (98.03%) of diff not shown.
411 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-nist-CL-IL-AL.sh
    
Offset 22, 43 lines modifiedOffset 22, 61 lines modified
22 #22 #
23 #·How·to·apply·this·remediation·role:23 #·How·to·apply·this·remediation·role:
24 #·$·sudo·./remediation-role.sh24 #·$·sudo·./remediation-role.sh
25 #25 #
26 ###############################################################################26 ###############################################################################
  
27 ###############################################################################27 ###############################################################################
28 #·BEGIN·fix·(1·/·270)·for·'require_smb_client_signing'28 #·BEGIN·fix·(1·/·270)·for·'package_vsftpd_removed'
29 ###############################################################################29 ###############################################################################
30 (>&2·echo·"Remediating·rule·1/270:·'require_smb_client_signing'")30 (>&2·echo·"Remediating·rule·1/270:·'package_vsftpd_removed'")
31 ######################################################################31 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
32 #By·Luke·"Brisk-OH"·Brisk32 #
33 #luke.brisk@boeing.com·or·luke.brisk@gmail.com33 #·Example·Call(s):
34 ######################################################################34 #
 35 #·····package_remove·telnet-server
 36 #
 37 function·package_remove·{
  
35 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)38 #·Load·function·arguments·into·local·variables
 39 local·package="$1"
  
36 if·[·"$CLIENTSIGNING"·-eq·0·];··then40 #·Check·sanity·of·the·input
37 »       #·Add·to·global·section41 if·[·$#·-ne·"1"·]
38 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf42 then
 43 ··echo·"Usage:·package_remove·'package_name'"
 44 ··echo·"Aborting."
 45 ··exit·1
 46 fi
  
 47 if·which·dnf·;·then
 48 ··if·rpm·-q·--quiet·"$package";·then
 49 ····dnf·remove·-y·"$package"
 50 ··fi
 51 elif·which·yum·;·then
 52 ··if·rpm·-q·--quiet·"$package";·then
 53 ····yum·remove·-y·"$package"
 54 ··fi
 55 elif·which·apt-get·;·then
 56 ··apt-get·remove·-y·"$package"
39 else57 else
40 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf58 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 59 ··echo·"Aborting."
 60 ··exit·1
41 fi61 fi
42 #·END·fix·for·'require_smb_client_signing' 
  
43 ###############################################################################62 }
44 #·BEGIN·fix·(2·/·270)·for·'mount_option_smb_client_signing' 
45 ###############################################################################63 package_remove·vsftpd
46 (>&2·echo·"Remediating·rule·2/270:·'mount_option_smb_client_signing'")64 #·END·fix·for·'package_vsftpd_removed'
47 #·FIX·FOR·THIS·RULE·IS·MISSING 
48 #·END·fix·for·'mount_option_smb_client_signing' 
  
49 ###############################################################################65 ###############################################################################
50 #·BEGIN·fix·(3·/·270)·for·'service_httpd_disabled'66 #·BEGIN·fix·(2·/·270)·for·'service_httpd_disabled'
51 ###############################################################################67 ###############################################################################
52 (>&2·echo·"Remediating·rule·3/270:·'service_httpd_disabled'")68 (>&2·echo·"Remediating·rule·2/270:·'service_httpd_disabled'")
53 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.69 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
54 #70 #
55 #·Example·Call(s):71 #·Example·Call(s):
56 #72 #
57 #·····service_command·enable·bluetooth73 #·····service_command·enable·bluetooth
58 #·····service_command·disable·bluetooth.service74 #·····service_command·disable·bluetooth.service
59 #75 #
Offset 130, 17 lines modifiedOffset 148, 17 lines modified
  
130 }148 }
  
131 service_command·disable·httpd149 service_command·disable·httpd
132 #·END·fix·for·'service_httpd_disabled'150 #·END·fix·for·'service_httpd_disabled'
  
133 ###############################################################################151 ###############################################################################
134 #·BEGIN·fix·(4·/·270)·for·'package_httpd_removed'152 #·BEGIN·fix·(3·/·270)·for·'package_httpd_removed'
135 ###############################################################################153 ###############################################################################
136 (>&2·echo·"Remediating·rule·4/270:·'package_httpd_removed'")154 (>&2·echo·"Remediating·rule·3/270:·'package_httpd_removed'")
137 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.155 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
138 #156 #
139 #·Example·Call(s):157 #·Example·Call(s):
140 #158 #
141 #·····package_remove·telnet-server159 #·····package_remove·telnet-server
142 #160 #
143 function·package_remove·{161 function·package_remove·{
Offset 174, 75 lines modifiedOffset 192, 99 lines modified
  
174 }192 }
  
175 package_remove·httpd193 package_remove·httpd
176 #·END·fix·for·'package_httpd_removed'194 #·END·fix·for·'package_httpd_removed'
  
177 ###############################################################################195 ###############################################################################
178 #·BEGIN·fix·(5·/·270)·for·'postfix_network_listening_disabled'196 #·BEGIN·fix·(4·/·270)·for·'service_named_disabled'
179 ###############################################################################197 ###############################################################################
180 (>&2·echo·"Remediating·rule·5/270:·'postfix_network_listening_disabled'")198 (>&2·echo·"Remediating·rule·4/270:·'service_named_disabled'")
181 #·FIX·FOR·THIS·RULE·IS·MISSING199 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
182 #·END·fix·for·'postfix_network_listening_disabled' 
  
183 ############################################################################### 
184 #·BEGIN·fix·(6·/·270)·for·'package_sendmail_removed' 
185 ############################################################################### 
186 (>&2·echo·"Remediating·rule·6/270:·'package_sendmail_removed'") 
187 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
188 #200 #
189 #·Example·Call(s):201 #·Example·Call(s):
190 #202 #
191 #·····package_remove·telnet-server203 #·····service_command·enable·bluetooth
 204 #·····service_command·disable·bluetooth.service
192 #205 #
193 function·package_remove·{206 #·····Using·xinetd:
 207 #·····service_command·disable·rsh.socket·xinetd=rsh
 208 #
 209 function·service_command·{
  
194 #·Load·function·arguments·into·local·variables210 #·Load·function·arguments·into·local·variables
195 local·package="$1"211 local·service_state=$1
 212 local·service=$2
 213 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
196 #·Check·sanity·of·the·input214 #·Check·sanity·of·the·input
197 if·[·$#·-ne·"1"·]215 if·[·$#·-lt·"2"·]
198 then216 then
199 ··echo·"Usage:·package_remove·'package_name'"217 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 218 ··echo
 219 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 220 ··echo·"as·the·last·argument"··
200 ··echo·"Aborting."221 ··echo·"Aborting."
201 ··exit·1222 ··exit·1
202 fi223 fi
Max diff block lines reached; 415516/421004 bytes (98.70%) of diff not shown.
188 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-pci-dss.sh
    
Offset 128, 424 lines modifiedOffset 128, 17 lines modified
128 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config128 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config
129 if·!·[·$?·-eq·0·];·then129 if·!·[·$?·-eq·0·];·then
130 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config130 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config
131 fi131 fi
132 #·END·fix·for·'sshd_set_idle_timeout'132 #·END·fix·for·'sshd_set_idle_timeout'
  
133 ###############################################################################133 ###############################################################################
134 #·BEGIN·fix·(5·/·94)·for·'rpm_verify_permissions'134 #·BEGIN·fix·(5·/·94)·for·'rsyslog_files_permissions'
135 ###############################################################################135 ###############################################################################
136 (>&2·echo·"Remediating·rule·5/94:·'rpm_verify_permissions'")136 (>&2·echo·"Remediating·rule·5/94:·'rsyslog_files_permissions'")
  
137 #·Declare·array·to·hold·list·of·RPM·packages·we·need·to·correct·permissions·for 
138 declare·-a·SETPERMS_RPM_LIST 
  
139 #·Create·a·list·of·files·on·the·system·having·permissions·different·from·what 
140 #·is·expected·by·the·RPM·database 
141 FILES_WITH_INCORRECT_PERMS=($(rpm·-Va·--nofiledigest·|·grep·'^.M'·|·cut·-d·'·'·-f4-)) 
  
142 #·For·each·file·path·from·that·list: 
143 #·*·Determine·the·RPM·package·the·file·path·is·shipped·by, 
144 #·*·Include·it·into·SETPERMS_RPM_LIST·array 
  
145 for·FILE_PATH·in·"${FILES_WITH_INCORRECT_PERMS[@]}" 
146 do 
147 »       RPM_PACKAGE=$(rpm·-qf·"$FILE_PATH") 
148 »       SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}"·"$RPM_PACKAGE") 
149 done 
  
150 #·Remove·duplicate·mention·of·same·RPM·in·$SETPERMS_RPM_LIST·(if·any) 
151 SETPERMS_RPM_LIST=(·$(echo·"${SETPERMS_RPM_LIST[@]}"·|·tr·'·'·'\n'·|·sort·-u·|·tr·'\n'·'·')·) 
  
152 #·For·each·of·the·RPM·packages·left·in·the·list·--·reset·its·permissions·to·the 
153 #·correct·values 
154 for·RPM_PACKAGE·in·"${SETPERMS_RPM_LIST[@]}" 
155 do 
156 »       rpm·--setperms·"${RPM_PACKAGE}" 
157 done 
158 #·END·fix·for·'rpm_verify_permissions' 
  
159 ############################################################################### 
160 #·BEGIN·fix·(6·/·94)·for·'rpm_verify_hashes' 
161 ############################################################################### 
162 (>&2·echo·"Remediating·rule·6/94:·'rpm_verify_hashes'") 
163 #·FIX·FOR·THIS·RULE·IS·MISSING 
164 #·END·fix·for·'rpm_verify_hashes' 
  
165 ############################################################################### 
166 #·BEGIN·fix·(7·/·94)·for·'install_hids' 
167 ############################################################################### 
168 (>&2·echo·"Remediating·rule·7/94:·'install_hids'") 
169 #·FIX·FOR·THIS·RULE·IS·MISSING 
170 #·END·fix·for·'install_hids' 
  
171 ############################################################################### 
172 #·BEGIN·fix·(8·/·94)·for·'package_aide_installed' 
173 ############################################################################### 
174 (>&2·echo·"Remediating·rule·8/94:·'package_aide_installed'") 
175 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
176 # 
177 #·Example·Call(s): 
178 # 
179 #·····package_install·aide 
180 # 
181 function·package_install·{ 
  
182 #·Load·function·arguments·into·local·variables 
183 local·package="$1" 
  
184 #·Check·sanity·of·the·input 
185 if·[·$#·-ne·"1"·] 
186 then 
187 ··echo·"Usage:·package_install·'package_name'" 
188 ··echo·"Aborting." 
189 ··exit·1 
190 fi 
  
191 if·which·dnf·;·then 
192 ··if·!·rpm·-q·--quiet·"$package";·then 
193 ····dnf·install·-y·"$package" 
194 ··fi 
195 elif·which·yum·;·then 
196 ··if·!·rpm·-q·--quiet·"$package";·then 
197 ····yum·install·-y·"$package" 
198 ··fi 
199 elif·which·apt-get·;·then 
200 ··apt-get·install·-y·"$package" 
201 else 
202 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
203 ··echo·"Aborting." 
204 ··exit·1 
205 fi 
  
206 } 
  
207 package_install·aide 
208 #·END·fix·for·'package_aide_installed' 
  
209 ############################################################################### 
210 #·BEGIN·fix·(9·/·94)·for·'aide_periodic_cron_checking' 
211 ############################################################################### 
212 (>&2·echo·"Remediating·rule·9/94:·'aide_periodic_cron_checking'") 
213 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
214 # 
215 #·Example·Call(s): 
216 # 
217 #·····package_install·aide 
218 # 
219 function·package_install·{ 
  
220 #·Load·function·arguments·into·local·variables 
221 local·package="$1" 
  
222 #·Check·sanity·of·the·input 
223 if·[·$#·-ne·"1"·] 
224 then 
225 ··echo·"Usage:·package_install·'package_name'" 
226 ··echo·"Aborting." 
227 ··exit·1 
228 fi 
  
229 if·which·dnf·;·then 
230 ··if·!·rpm·-q·--quiet·"$package";·then 
231 ····dnf·install·-y·"$package" 
232 ··fi 
233 elif·which·yum·;·then 
234 ··if·!·rpm·-q·--quiet·"$package";·then 
235 ····yum·install·-y·"$package" 
Max diff block lines reached; 176223/192119 bytes (91.73%) of diff not shown.
82.8 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-rht-ccp.sh
    
Offset 18, 38 lines modifiedOffset 18, 120 lines modified
18 #18 #
19 #·How·to·apply·this·remediation·role:19 #·How·to·apply·this·remediation·role:
20 #·$·sudo·./remediation-role.sh20 #·$·sudo·./remediation-role.sh
21 #21 #
22 ###############################################################################22 ###############################################################################
  
23 ###############################################################################23 ###############################################################################
24 #·BEGIN·fix·(1·/·94)·for·'service_rlogin_disabled'24 #·BEGIN·fix·(1·/·94)·for·'service_atd_disabled'
25 ###############################################################################25 ###############################################################################
26 (>&2·echo·"Remediating·rule·1/94:·'service_rlogin_disabled'")26 (>&2·echo·"Remediating·rule·1/94:·'service_atd_disabled'")
 27 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 28 #
 29 #·Example·Call(s):
 30 #
 31 #·····service_command·enable·bluetooth
 32 #·····service_command·disable·bluetooth.service
 33 #
 34 #·····Using·xinetd:
 35 #·····service_command·disable·rsh.socket·xinetd=rsh
 36 #
 37 function·service_command·{
  
 38 #·Load·function·arguments·into·local·variables
 39 local·service_state=$1
 40 local·service=$2
 41 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 42 #·Check·sanity·of·the·input
 43 if·[·$#·-lt·"2"·]
 44 then
 45 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 46 ··echo
 47 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 48 ··echo·"as·the·last·argument"··
 49 ··echo·"Aborting."
 50 ··exit·1
 51 fi
  
 52 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 53 if·[·-f·"/usr/bin/systemctl"·]·;·then
 54 ··service_util="/usr/bin/systemctl"
 55 else
 56 ··service_util="/sbin/service"
 57 ··chkconfig_util="/sbin/chkconfig"
 58 fi
  
 59 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 60 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 61 if·[·"$service_state"·!=·'disable'·]·;·then
 62 ··service_state="enable"
 63 ··service_operation="start"
 64 ··chkconfig_state="on"
 65 else
 66 ··service_state="disable"
 67 ··service_operation="stop"
 68 ··chkconfig_state="off"
 69 fi
  
 70 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 71 if·[·"x$chkconfig_util"·!=·x·]·;·then
 72 ··$service_util·$service·$service_operation
 73 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 74 else
 75 ··$service_util·$service_operation·$service
 76 ··$service_util·$service_state·$service
 77 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 78 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 79 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 80 ··$service_util·reset-failed·$service
 81 fi
  
 82 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 83 #·If·empty,·then·xinetd·is·not·being·used.
 84 if·[·"x$xinetd"·!=·x·]·;·then
 85 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 86 ··if·[·"$service_operation"·=·'disable'·]·;·then
 87 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 88 ··else
 89 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 90 ··fi
 91 fi
  
 92 }
  
 93 service_command·disable·atd
 94 #·END·fix·for·'service_atd_disabled'
  
 95 ###############################################################################
 96 #·BEGIN·fix·(2·/·94)·for·'service_rlogin_disabled'
 97 ###############################################################################
 98 (>&2·echo·"Remediating·rule·2/94:·'service_rlogin_disabled'")
27 #·FIX·FOR·THIS·RULE·IS·MISSING99 #·FIX·FOR·THIS·RULE·IS·MISSING
28 #·END·fix·for·'service_rlogin_disabled'100 #·END·fix·for·'service_rlogin_disabled'
  
29 ###############################################################################101 ###############################################################################
30 #·BEGIN·fix·(2·/·94)·for·'service_rexec_disabled'102 #·BEGIN·fix·(3·/·94)·for·'service_rexec_disabled'
31 ###############################################################################103 ###############################################################################
32 (>&2·echo·"Remediating·rule·2/94:·'service_rexec_disabled'")104 (>&2·echo·"Remediating·rule·3/94:·'service_rexec_disabled'")
33 #·FIX·FOR·THIS·RULE·IS·MISSING105 #·FIX·FOR·THIS·RULE·IS·MISSING
34 #·END·fix·for·'service_rexec_disabled'106 #·END·fix·for·'service_rexec_disabled'
  
35 ###############################################################################107 ###############################################################################
36 #·BEGIN·fix·(3·/·94)·for·'service_rsh_disabled'108 #·BEGIN·fix·(4·/·94)·for·'service_rsh_disabled'
37 ###############################################################################109 ###############################################################################
38 (>&2·echo·"Remediating·rule·3/94:·'service_rsh_disabled'")110 (>&2·echo·"Remediating·rule·4/94:·'service_rsh_disabled'")
39 #·FIX·FOR·THIS·RULE·IS·MISSING111 #·FIX·FOR·THIS·RULE·IS·MISSING
40 #·END·fix·for·'service_rsh_disabled'112 #·END·fix·for·'service_rsh_disabled'
  
41 ###############################################################################113 ###############################################################################
42 #·BEGIN·fix·(4·/·94)·for·'package_rsh-server_removed'114 #·BEGIN·fix·(5·/·94)·for·'package_rsh-server_removed'
43 ###############################################################################115 ###############################################################################
44 (>&2·echo·"Remediating·rule·4/94:·'package_rsh-server_removed'")116 (>&2·echo·"Remediating·rule·5/94:·'package_rsh-server_removed'")
45 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.117 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
46 #118 #
47 #·Example·Call(s):119 #·Example·Call(s):
48 #120 #
49 #·····package_remove·telnet-server121 #·····package_remove·telnet-server
50 #122 #
51 function·package_remove·{123 function·package_remove·{
Offset 83, 17 lines modifiedOffset 165, 17 lines modified
  
83 }165 }
  
84 package_remove·rsh-server166 package_remove·rsh-server
85 #·END·fix·for·'package_rsh-server_removed'167 #·END·fix·for·'package_rsh-server_removed'
  
Max diff block lines reached; 79730/84667 bytes (94.17%) of diff not shown.
279 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-server.sh
    
Offset 45, 31 lines modifiedOffset 45, 17 lines modified
45 #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing'45 #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing'
46 ###############################################################################46 ###############################################################################
47 (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'")47 (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'")
48 #·FIX·FOR·THIS·RULE·IS·MISSING48 #·FIX·FOR·THIS·RULE·IS·MISSING
49 #·END·fix·for·'mount_option_smb_client_signing'49 #·END·fix·for·'mount_option_smb_client_signing'
  
50 ###############################################################################50 ###############################################################################
51 #·BEGIN·fix·(3·/·186)·for·'postfix_network_listening_disabled'51 #·BEGIN·fix·(3·/·186)·for·'service_ntpd_enabled'
52 ###############################################################################52 ###############################################################################
53 (>&2·echo·"Remediating·rule·3/186:·'postfix_network_listening_disabled'")53 (>&2·echo·"Remediating·rule·3/186:·'service_ntpd_enabled'")
54 #·FIX·FOR·THIS·RULE·IS·MISSING 
55 #·END·fix·for·'postfix_network_listening_disabled' 
  
56 ############################################################################### 
57 #·BEGIN·fix·(4·/·186)·for·'sysconfig_networking_bootproto_ifcfg' 
58 ############################################################################### 
59 (>&2·echo·"Remediating·rule·4/186:·'sysconfig_networking_bootproto_ifcfg'") 
60 #·FIX·FOR·THIS·RULE·IS·MISSING 
61 #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' 
  
62 ############################################################################### 
63 #·BEGIN·fix·(5·/·186)·for·'service_ntpd_enabled' 
64 ############################################################################### 
65 (>&2·echo·"Remediating·rule·5/186:·'service_ntpd_enabled'") 
66 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.54 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
67 #55 #
68 #·Example·Call(s):56 #·Example·Call(s):
69 #57 #
70 #·····service_command·enable·bluetooth58 #·····service_command·enable·bluetooth
71 #·····service_command·disable·bluetooth.service59 #·····service_command·disable·bluetooth.service
72 #60 #
Offset 141, 45 lines modifiedOffset 127, 24 lines modified
  
141 }127 }
  
142 service_command·enable·ntpd128 service_command·enable·ntpd
143 #·END·fix·for·'service_ntpd_enabled'129 #·END·fix·for·'service_ntpd_enabled'
  
144 ###############################################################################130 ###############################################################################
145 #·BEGIN·fix·(6·/·186)·for·'ntpd_specify_remote_server'131 #·BEGIN·fix·(4·/·186)·for·'ntpd_specify_remote_server'
146 ###############################################################################132 ###############################################################################
147 (>&2·echo·"Remediating·rule·6/186:·'ntpd_specify_remote_server'")133 (>&2·echo·"Remediating·rule·4/186:·'ntpd_specify_remote_server'")
148 #·FIX·FOR·THIS·RULE·IS·MISSING134 #·FIX·FOR·THIS·RULE·IS·MISSING
149 #·END·fix·for·'ntpd_specify_remote_server'135 #·END·fix·for·'ntpd_specify_remote_server'
  
150 ###############################################################################136 ###############################################################################
151 #·BEGIN·fix·(7·/·186)·for·'service_rlogin_disabled'137 #·BEGIN·fix·(5·/·186)·for·'package_openldap-servers_removed'
152 ############################################################################### 
153 (>&2·echo·"Remediating·rule·7/186:·'service_rlogin_disabled'") 
154 #·FIX·FOR·THIS·RULE·IS·MISSING 
155 #·END·fix·for·'service_rlogin_disabled' 
  
156 ############################################################################### 
157 #·BEGIN·fix·(8·/·186)·for·'service_rexec_disabled' 
158 ###############################################################################138 ###############################################################################
159 (>&2·echo·"Remediating·rule·8/186:·'service_rexec_disabled'")139 (>&2·echo·"Remediating·rule·5/186:·'package_openldap-servers_removed'")
160 #·FIX·FOR·THIS·RULE·IS·MISSING 
161 #·END·fix·for·'service_rexec_disabled' 
  
162 ############################################################################### 
163 #·BEGIN·fix·(9·/·186)·for·'service_rsh_disabled' 
164 ############################################################################### 
165 (>&2·echo·"Remediating·rule·9/186:·'service_rsh_disabled'") 
166 #·FIX·FOR·THIS·RULE·IS·MISSING 
167 #·END·fix·for·'service_rsh_disabled' 
  
168 ############################################################################### 
169 #·BEGIN·fix·(10·/·186)·for·'package_rsh-server_removed' 
170 ############################################################################### 
171 (>&2·echo·"Remediating·rule·10/186:·'package_rsh-server_removed'") 
172 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.140 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
173 #141 #
174 #·Example·Call(s):142 #·Example·Call(s):
175 #143 #
176 #·····package_remove·telnet-server144 #·····package_remove·telnet-server
177 #145 #
178 function·package_remove·{146 function·package_remove·{
Offset 209, 83 lines modifiedOffset 174, 279 lines modified
209 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"174 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
210 ··echo·"Aborting."175 ··echo·"Aborting."
211 ··exit·1176 ··exit·1
212 fi177 fi
  
213 }178 }
  
214 package_remove·rsh-server179 package_remove·openldap-servers
215 #·END·fix·for·'package_rsh-server_removed'180 #·END·fix·for·'package_openldap-servers_removed'
  
216 ###############################################################################181 ###############################################################################
217 #·BEGIN·fix·(11·/·186)·for·'no_rsh_trust_files'182 #·BEGIN·fix·(6·/·186)·for·'ldap_client_start_tls'
218 ###############################################################################183 ###############################################################################
219 (>&2·echo·"Remediating·rule·11/186:·'no_rsh_trust_files'")184 (>&2·echo·"Remediating·rule·6/186:·'ldap_client_start_tls'")
220 find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; 
  
221 if·[·-f·/etc/hosts.equiv·];·then 
222 »       /bin/rm·-f·/etc/hosts.equiv185 #·Use·LDAP·for·authentication
223 fi186 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
224 #·END·fix·for·'no_rsh_trust_files'187 #·it·does·not·exist.
 188 #
 189 #·Expects·arguments:
 190 #
 191 #·config_file:»  »  Configuration·file·that·will·be·modified
 192 #·key:»  »  »  Configuration·option·to·change
 193 #·value:»»Value·of·the·configuration·option·to·change
 194 #·cce:»  »  »  The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists
 195 #·format:»       »       The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments,
 196 #»      »      »      so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=)
 197 #
 198 #·Optional·arugments:
 199 #
 200 #·format:»       »       Optional·argument·to·specify·the·format·of·how·key/value·should·be
 201 #·»      »      »      modified/appended·in·the·configuration·file.·The·default·is·key·=·value.
 202 #
 203 #·Example·Call(s):
 204 #
 205 #·····With·default·format·of·'key·=·value':
 206 #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@'
 207 #
 208 #·····With·custom·key/value·format:
 209 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s'
 210 #
 211 #·····With·a·variable:
 212 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s'
 213 #
 214 function·replace_or_append·{
 215 ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option=''
 216 ··local·config_file=$1
Max diff block lines reached; 274005/285608 bytes (95.94%) of diff not shown.
275 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-standard.sh
    
Offset 46, 24 lines modifiedOffset 46, 17 lines modified
46 #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing'46 #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing'
47 ###############################################################################47 ###############################################################################
48 (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'")48 (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'")
49 #·FIX·FOR·THIS·RULE·IS·MISSING49 #·FIX·FOR·THIS·RULE·IS·MISSING
50 #·END·fix·for·'mount_option_smb_client_signing'50 #·END·fix·for·'mount_option_smb_client_signing'
  
51 ###############################################################################51 ###############################################################################
52 #·BEGIN·fix·(3·/·182)·for·'postfix_network_listening_disabled'52 #·BEGIN·fix·(3·/·182)·for·'service_ntpd_enabled'
53 ###############################################################################53 ###############################################################################
54 (>&2·echo·"Remediating·rule·3/182:·'postfix_network_listening_disabled'")54 (>&2·echo·"Remediating·rule·3/182:·'service_ntpd_enabled'")
55 #·FIX·FOR·THIS·RULE·IS·MISSING 
56 #·END·fix·for·'postfix_network_listening_disabled' 
  
57 ############################################################################### 
58 #·BEGIN·fix·(4·/·182)·for·'service_ntpd_enabled' 
59 ############################################################################### 
60 (>&2·echo·"Remediating·rule·4/182:·'service_ntpd_enabled'") 
61 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.55 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
62 #56 #
63 #·Example·Call(s):57 #·Example·Call(s):
64 #58 #
65 #·····service_command·enable·bluetooth59 #·····service_command·enable·bluetooth
66 #·····service_command·disable·bluetooth.service60 #·····service_command·disable·bluetooth.service
67 #61 #
Offset 135, 45 lines modifiedOffset 128, 24 lines modified
  
135 }128 }
  
136 service_command·enable·ntpd129 service_command·enable·ntpd
137 #·END·fix·for·'service_ntpd_enabled'130 #·END·fix·for·'service_ntpd_enabled'
  
138 ###############################################################################131 ###############################################################################
139 #·BEGIN·fix·(5·/·182)·for·'ntpd_specify_remote_server'132 #·BEGIN·fix·(4·/·182)·for·'ntpd_specify_remote_server'
140 ###############################################################################133 ###############################################################################
141 (>&2·echo·"Remediating·rule·5/182:·'ntpd_specify_remote_server'")134 (>&2·echo·"Remediating·rule·4/182:·'ntpd_specify_remote_server'")
142 #·FIX·FOR·THIS·RULE·IS·MISSING135 #·FIX·FOR·THIS·RULE·IS·MISSING
143 #·END·fix·for·'ntpd_specify_remote_server'136 #·END·fix·for·'ntpd_specify_remote_server'
  
144 ###############################################################################137 ###############################################################################
145 #·BEGIN·fix·(6·/·182)·for·'service_rlogin_disabled'138 #·BEGIN·fix·(5·/·182)·for·'package_openldap-servers_removed'
146 ############################################################################### 
147 (>&2·echo·"Remediating·rule·6/182:·'service_rlogin_disabled'") 
148 #·FIX·FOR·THIS·RULE·IS·MISSING 
149 #·END·fix·for·'service_rlogin_disabled' 
  
150 ############################################################################### 
151 #·BEGIN·fix·(7·/·182)·for·'service_rexec_disabled' 
152 ############################################################################### 
153 (>&2·echo·"Remediating·rule·7/182:·'service_rexec_disabled'") 
154 #·FIX·FOR·THIS·RULE·IS·MISSING 
155 #·END·fix·for·'service_rexec_disabled' 
  
156 ############################################################################### 
157 #·BEGIN·fix·(8·/·182)·for·'service_rsh_disabled' 
158 ###############################################################################139 ###############################################################################
159 (>&2·echo·"Remediating·rule·8/182:·'service_rsh_disabled'")140 (>&2·echo·"Remediating·rule·5/182:·'package_openldap-servers_removed'")
160 #·FIX·FOR·THIS·RULE·IS·MISSING 
161 #·END·fix·for·'service_rsh_disabled' 
  
162 ############################################################################### 
163 #·BEGIN·fix·(9·/·182)·for·'package_rsh-server_removed' 
164 ############################################################################### 
165 (>&2·echo·"Remediating·rule·9/182:·'package_rsh-server_removed'") 
166 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.141 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
167 #142 #
168 #·Example·Call(s):143 #·Example·Call(s):
169 #144 #
170 #·····package_remove·telnet-server145 #·····package_remove·telnet-server
171 #146 #
172 function·package_remove·{147 function·package_remove·{
Offset 203, 83 lines modifiedOffset 175, 279 lines modified
203 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"175 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
204 ··echo·"Aborting."176 ··echo·"Aborting."
205 ··exit·1177 ··exit·1
206 fi178 fi
  
207 }179 }
  
208 package_remove·rsh-server180 package_remove·openldap-servers
209 #·END·fix·for·'package_rsh-server_removed'181 #·END·fix·for·'package_openldap-servers_removed'
  
210 ###############################################################################182 ###############################################################################
211 #·BEGIN·fix·(10·/·182)·for·'no_rsh_trust_files'183 #·BEGIN·fix·(6·/·182)·for·'ldap_client_start_tls'
212 ###############################################################################184 ###############################################################################
213 (>&2·echo·"Remediating·rule·10/182:·'no_rsh_trust_files'")185 (>&2·echo·"Remediating·rule·6/182:·'ldap_client_start_tls'")
214 find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; 
  
215 if·[·-f·/etc/hosts.equiv·];·then 
216 »       /bin/rm·-f·/etc/hosts.equiv186 #·Use·LDAP·for·authentication
217 fi187 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
218 #·END·fix·for·'no_rsh_trust_files'188 #·it·does·not·exist.
 189 #
 190 #·Expects·arguments:
 191 #
 192 #·config_file:»  »  Configuration·file·that·will·be·modified
 193 #·key:»  »  »  Configuration·option·to·change
 194 #·value:»»Value·of·the·configuration·option·to·change
 195 #·cce:»  »  »  The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists
 196 #·format:»       »       The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments,
 197 #»      »      »      so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=)
 198 #
 199 #·Optional·arugments:
 200 #
 201 #·format:»       »       Optional·argument·to·specify·the·format·of·how·key/value·should·be
 202 #·»      »      »      modified/appended·in·the·configuration·file.·The·default·is·key·=·value.
 203 #
 204 #·Example·Call(s):
 205 #
 206 #·····With·default·format·of·'key·=·value':
 207 #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@'
 208 #
 209 #·····With·custom·key/value·format:
 210 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s'
 211 #
 212 #·····With·a·variable:
 213 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s'
 214 #
 215 function·replace_or_append·{
 216 ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option=''
 217 ··local·config_file=$1
 218 ··local·key=$2
 219 ··local·value=$3
 220 ··local·cce=$4
 221 ··local·format=$5
  
 222 ··if·[·"$case_insensitive_mode"·=·yes·];·then
 223 ····sed_case_insensitive_option="i"
Max diff block lines reached; 270022/281230 bytes (96.01%) of diff not shown.
351 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-stig-rhel6-disa.sh
    
Offset 25, 17 lines modifiedOffset 25, 31 lines modified
25 #25 #
26 #·How·to·apply·this·remediation·role:26 #·How·to·apply·this·remediation·role:
27 #·$·sudo·./remediation-role.sh27 #·$·sudo·./remediation-role.sh
28 #28 #
29 ###############################################################################29 ###############################################################################
  
30 ###############################################################################30 ###############################################################################
31 #·BEGIN·fix·(1·/·250)·for·'require_smb_client_signing'31 #·BEGIN·fix·(1·/·250)·for·'ftp_log_transactions'
32 ###############################################################################32 ###############################################################################
33 (>&2·echo·"Remediating·rule·1/250:·'require_smb_client_signing'")33 (>&2·echo·"Remediating·rule·1/250:·'ftp_log_transactions'")
 34 #·FIX·FOR·THIS·RULE·IS·MISSING
 35 #·END·fix·for·'ftp_log_transactions'
  
 36 ###############################################################################
 37 #·BEGIN·fix·(2·/·250)·for·'ftp_present_banner'
 38 ###############################################################################
 39 (>&2·echo·"Remediating·rule·2/250:·'ftp_present_banner'")
 40 #·FIX·FOR·THIS·RULE·IS·MISSING
 41 #·END·fix·for·'ftp_present_banner'
  
 42 ###############################################################################
 43 #·BEGIN·fix·(3·/·250)·for·'require_smb_client_signing'
 44 ###############################################################################
 45 (>&2·echo·"Remediating·rule·3/250:·'require_smb_client_signing'")
34 ######################################################################46 ######################################################################
35 #By·Luke·"Brisk-OH"·Brisk47 #By·Luke·"Brisk-OH"·Brisk
36 #luke.brisk@boeing.com·or·luke.brisk@gmail.com48 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
37 ######################################################################49 ######################################################################
  
38 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)50 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
Offset 44, 38 lines modifiedOffset 58, 113 lines modified
44 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf58 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
45 else59 else
46 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf60 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
47 fi61 fi
48 #·END·fix·for·'require_smb_client_signing'62 #·END·fix·for·'require_smb_client_signing'
  
49 ###############################################################################63 ###############################################################################
50 #·BEGIN·fix·(2·/·250)·for·'mount_option_smb_client_signing'64 #·BEGIN·fix·(4·/·250)·for·'mount_option_smb_client_signing'
51 ###############################################################################65 ###############################################################################
52 (>&2·echo·"Remediating·rule·2/250:·'mount_option_smb_client_signing'")66 (>&2·echo·"Remediating·rule·4/250:·'mount_option_smb_client_signing'")
53 #·FIX·FOR·THIS·RULE·IS·MISSING67 #·FIX·FOR·THIS·RULE·IS·MISSING
54 #·END·fix·for·'mount_option_smb_client_signing'68 #·END·fix·for·'mount_option_smb_client_signing'
  
55 ###############################################################################69 ###############################################################################
56 #·BEGIN·fix·(3·/·250)·for·'postfix_client_configure_mail_alias'70 #·BEGIN·fix·(5·/·250)·for·'service_ntpd_enabled'
57 ###############################################################################71 ###############################################################################
58 (>&2·echo·"Remediating·rule·3/250:·'postfix_client_configure_mail_alias'")72 (>&2·echo·"Remediating·rule·5/250:·'service_ntpd_enabled'")
59 #·FIX·FOR·THIS·RULE·IS·MISSING73 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
60 #·END·fix·for·'postfix_client_configure_mail_alias'74 #
 75 #·Example·Call(s):
 76 #
 77 #·····service_command·enable·bluetooth
 78 #·····service_command·disable·bluetooth.service
 79 #
 80 #·····Using·xinetd:
 81 #·····service_command·disable·rsh.socket·xinetd=rsh
 82 #
 83 function·service_command·{
  
 84 #·Load·function·arguments·into·local·variables
 85 local·service_state=$1
 86 local·service=$2
 87 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 88 #·Check·sanity·of·the·input
 89 if·[·$#·-lt·"2"·]
 90 then
 91 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 92 ··echo
 93 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 94 ··echo·"as·the·last·argument"··
 95 ··echo·"Aborting."
 96 ··exit·1
 97 fi
  
 98 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 99 if·[·-f·"/usr/bin/systemctl"·]·;·then
 100 ··service_util="/usr/bin/systemctl"
 101 else
 102 ··service_util="/sbin/service"
 103 ··chkconfig_util="/sbin/chkconfig"
 104 fi
  
 105 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 106 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 107 if·[·"$service_state"·!=·'disable'·]·;·then
 108 ··service_state="enable"
 109 ··service_operation="start"
 110 ··chkconfig_state="on"
 111 else
 112 ··service_state="disable"
 113 ··service_operation="stop"
 114 ··chkconfig_state="off"
 115 fi
  
 116 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 117 if·[·"x$chkconfig_util"·!=·x·]·;·then
 118 ··$service_util·$service·$service_operation
 119 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 120 else
 121 ··$service_util·$service_operation·$service
 122 ··$service_util·$service_state·$service
 123 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 124 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 125 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 126 ··$service_util·reset-failed·$service
 127 fi
  
 128 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 129 #·If·empty,·then·xinetd·is·not·being·used.
 130 if·[·"x$xinetd"·!=·x·]·;·then
 131 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 132 ··if·[·"$service_operation"·=·'disable'·]·;·then
 133 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 134 ··else
 135 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 136 ··fi
 137 fi
  
 138 }
  
 139 service_command·enable·ntpd
 140 #·END·fix·for·'service_ntpd_enabled'
  
Max diff block lines reached; 353872/359166 bytes (98.53%) of diff not shown.
386 KB
./usr/share/scap-security-guide/bash/ssg-centos6-role-usgcb-rhel6-server.sh
    
Offset 19, 17 lines modifiedOffset 19, 17 lines modified
19 #19 #
20 #·How·to·apply·this·remediation·role:20 #·How·to·apply·this·remediation·role:
21 #·$·sudo·./remediation-role.sh21 #·$·sudo·./remediation-role.sh
22 #22 #
23 ###############################################################################23 ###############################################################################
  
24 ###############################################################################24 ###############################################################################
25 #·BEGIN·fix·(1·/·223)·for·'service_smb_disabled'25 #·BEGIN·fix·(1·/·223)·for·'service_vsftpd_disabled'
26 ###############################################################################26 ###############################################################################
27 (>&2·echo·"Remediating·rule·1/223:·'service_smb_disabled'")27 (>&2·echo·"Remediating·rule·1/223:·'service_vsftpd_disabled'")
28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
29 #29 #
30 #·Example·Call(s):30 #·Example·Call(s):
31 #31 #
32 #·····service_command·enable·bluetooth32 #·····service_command·enable·bluetooth
33 #·····service_command·disable·bluetooth.service33 #·····service_command·disable·bluetooth.service
34 #34 #
Offset 97, 47 lines modifiedOffset 97, 65 lines modified
97 ··else97 ··else
98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
99 ··fi99 ··fi
100 fi100 fi
  
101 }101 }
  
102 service_command·disable·smb102 service_command·disable·vsftpd
103 #·END·fix·for·'service_smb_disabled'103 #·END·fix·for·'service_vsftpd_disabled'
  
104 ###############################################################################104 ###############################################################################
105 #·BEGIN·fix·(2·/·223)·for·'require_smb_client_signing'105 #·BEGIN·fix·(2·/·223)·for·'package_vsftpd_removed'
106 ###############################################################################106 ###############################################################################
107 (>&2·echo·"Remediating·rule·2/223:·'require_smb_client_signing'")107 (>&2·echo·"Remediating·rule·2/223:·'package_vsftpd_removed'")
108 ######################################################################108 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
109 #By·Luke·"Brisk-OH"·Brisk109 #
110 #luke.brisk@boeing.com·or·luke.brisk@gmail.com110 #·Example·Call(s):
111 ######################################################################111 #
 112 #·····package_remove·telnet-server
 113 #
 114 function·package_remove·{
  
112 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)115 #·Load·function·arguments·into·local·variables
 116 local·package="$1"
  
113 if·[·"$CLIENTSIGNING"·-eq·0·];··then117 #·Check·sanity·of·the·input
114 »       #·Add·to·global·section118 if·[·$#·-ne·"1"·]
115 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf119 then
 120 ··echo·"Usage:·package_remove·'package_name'"
 121 ··echo·"Aborting."
 122 ··exit·1
 123 fi
  
 124 if·which·dnf·;·then
 125 ··if·rpm·-q·--quiet·"$package";·then
 126 ····dnf·remove·-y·"$package"
 127 ··fi
 128 elif·which·yum·;·then
 129 ··if·rpm·-q·--quiet·"$package";·then
 130 ····yum·remove·-y·"$package"
 131 ··fi
 132 elif·which·apt-get·;·then
 133 ··apt-get·remove·-y·"$package"
116 else134 else
117 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf135 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 136 ··echo·"Aborting."
 137 ··exit·1
118 fi138 fi
119 #·END·fix·for·'require_smb_client_signing' 
  
120 ###############################################################################139 }
121 #·BEGIN·fix·(3·/·223)·for·'mount_option_smb_client_signing' 
122 ###############################################################################140 package_remove·vsftpd
123 (>&2·echo·"Remediating·rule·3/223:·'mount_option_smb_client_signing'")141 #·END·fix·for·'package_vsftpd_removed'
124 #·FIX·FOR·THIS·RULE·IS·MISSING 
125 #·END·fix·for·'mount_option_smb_client_signing' 
  
126 ###############################################################################142 ###############################################################################
127 #·BEGIN·fix·(4·/·223)·for·'service_httpd_disabled'143 #·BEGIN·fix·(3·/·223)·for·'service_httpd_disabled'
128 ###############################################################################144 ###############################################################################
129 (>&2·echo·"Remediating·rule·4/223:·'service_httpd_disabled'")145 (>&2·echo·"Remediating·rule·3/223:·'service_httpd_disabled'")
130 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.146 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
131 #147 #
132 #·Example·Call(s):148 #·Example·Call(s):
133 #149 #
134 #·····service_command·enable·bluetooth150 #·····service_command·enable·bluetooth
135 #·····service_command·disable·bluetooth.service151 #·····service_command·disable·bluetooth.service
136 #152 #
Offset 209, 17 lines modifiedOffset 227, 17 lines modified
  
209 }227 }
  
210 service_command·disable·httpd228 service_command·disable·httpd
211 #·END·fix·for·'service_httpd_disabled'229 #·END·fix·for·'service_httpd_disabled'
  
212 ###############################################################################230 ###############################################################################
213 #·BEGIN·fix·(5·/·223)·for·'package_httpd_removed'231 #·BEGIN·fix·(4·/·223)·for·'package_httpd_removed'
214 ###############################################################################232 ###############################################################################
215 (>&2·echo·"Remediating·rule·5/223:·'package_httpd_removed'")233 (>&2·echo·"Remediating·rule·4/223:·'package_httpd_removed'")
216 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.234 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
217 #235 #
218 #·Example·Call(s):236 #·Example·Call(s):
219 #237 #
220 #·····package_remove·telnet-server238 #·····package_remove·telnet-server
221 #239 #
222 function·package_remove·{240 function·package_remove·{
Offset 253, 68 lines modifiedOffset 271, 99 lines modified
  
253 }271 }
  
254 package_remove·httpd272 package_remove·httpd
255 #·END·fix·for·'package_httpd_removed'273 #·END·fix·for·'package_httpd_removed'
  
256 ###############################################################################274 ###############################################################################
257 #·BEGIN·fix·(6·/·223)·for·'postfix_network_listening_disabled'275 #·BEGIN·fix·(5·/·223)·for·'service_named_disabled'
258 ############################################################################### 
259 (>&2·echo·"Remediating·rule·6/223:·'postfix_network_listening_disabled'") 
260 #·FIX·FOR·THIS·RULE·IS·MISSING 
261 #·END·fix·for·'postfix_network_listening_disabled' 
  
262 ############################################################################### 
263 #·BEGIN·fix·(7·/·223)·for·'package_sendmail_removed' 
264 ###############################################################################276 ###############################################################################
265 (>&2·echo·"Remediating·rule·7/223:·'package_sendmail_removed'")277 (>&2·echo·"Remediating·rule·5/223:·'service_named_disabled'")
266 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.278 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
267 #279 #
268 #·Example·Call(s):280 #·Example·Call(s):
269 #281 #
270 #·····package_remove·telnet-server282 #·····service_command·enable·bluetooth
Max diff block lines reached; 388953/394659 bytes (98.55%) of diff not shown.
134 KB
./usr/share/scap-security-guide/bash/ssg-centos7-role-C2S.sh
    
Offset 369, 17 lines modifiedOffset 369, 61 lines modified
  
369 }369 }
  
370 service_command·disable·tftp370 service_command·disable·tftp
371 #·END·fix·for·'service_tftp_disabled'371 #·END·fix·for·'service_tftp_disabled'
  
372 ###############################################################################372 ###############################################################################
373 #·BEGIN·fix·(11·/·213)·for·'service_xinetd_disabled'373 #·BEGIN·fix·(11·/·213)·for·'package_tcp_wrappers_installed'
374 ###############################################################################374 ###############################################################################
375 (>&2·echo·"Remediating·rule·11/213:·'service_xinetd_disabled'")375 (>&2·echo·"Remediating·rule·11/213:·'package_tcp_wrappers_installed'")
 376 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 377 #
 378 #·Example·Call(s):
 379 #
 380 #·····package_install·aide
 381 #
 382 function·package_install·{
  
 383 #·Load·function·arguments·into·local·variables
 384 local·package="$1"
  
 385 #·Check·sanity·of·the·input
 386 if·[·$#·-ne·"1"·]
 387 then
 388 ··echo·"Usage:·package_install·'package_name'"
 389 ··echo·"Aborting."
 390 ··exit·1
 391 fi
  
 392 if·which·dnf·;·then
 393 ··if·!·rpm·-q·--quiet·"$package";·then
 394 ····dnf·install·-y·"$package"
 395 ··fi
 396 elif·which·yum·;·then
 397 ··if·!·rpm·-q·--quiet·"$package";·then
 398 ····yum·install·-y·"$package"
 399 ··fi
 400 elif·which·apt-get·;·then
 401 ··apt-get·install·-y·"$package"
 402 else
 403 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 404 ··echo·"Aborting."
 405 ··exit·1
 406 fi
  
 407 }
  
 408 package_install·tcp_wrappers
 409 #·END·fix·for·'package_tcp_wrappers_installed'
  
 410 ###############################################################################
 411 #·BEGIN·fix·(12·/·213)·for·'service_xinetd_disabled'
 412 ###############################################################################
 413 (>&2·echo·"Remediating·rule·12/213:·'service_xinetd_disabled'")
376 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.414 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
377 #415 #
378 #·Example·Call(s):416 #·Example·Call(s):
379 #417 #
380 #·····service_command·enable·bluetooth418 #·····service_command·enable·bluetooth
381 #·····service_command·disable·bluetooth.service419 #·····service_command·disable·bluetooth.service
382 #420 #
Offset 451, 61 lines modifiedOffset 495, 61 lines modified
  
451 }495 }
  
452 service_command·disable·xinetd496 service_command·disable·xinetd
453 #·END·fix·for·'service_xinetd_disabled'497 #·END·fix·for·'service_xinetd_disabled'
  
454 ###############################################################################498 ###############################################################################
455 #·BEGIN·fix·(12·/·213)·for·'package_tcp_wrappers_installed'499 #·BEGIN·fix·(13·/·213)·for·'package_talk_removed'
456 ###############################################################################500 ###############################################################################
457 (>&2·echo·"Remediating·rule·12/213:·'package_tcp_wrappers_installed'")501 (>&2·echo·"Remediating·rule·13/213:·'package_talk_removed'")
458 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.502 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
459 #503 #
460 #·Example·Call(s):504 #·Example·Call(s):
461 #505 #
462 #·····package_install·aide506 #·····package_remove·telnet-server
463 #507 #
464 function·package_install·{508 function·package_remove·{
  
465 #·Load·function·arguments·into·local·variables509 #·Load·function·arguments·into·local·variables
466 local·package="$1"510 local·package="$1"
  
467 #·Check·sanity·of·the·input511 #·Check·sanity·of·the·input
468 if·[·$#·-ne·"1"·]512 if·[·$#·-ne·"1"·]
469 then513 then
470 ··echo·"Usage:·package_install·'package_name'"514 ··echo·"Usage:·package_remove·'package_name'"
471 ··echo·"Aborting."515 ··echo·"Aborting."
472 ··exit·1516 ··exit·1
473 fi517 fi
  
474 if·which·dnf·;·then518 if·which·dnf·;·then
475 ··if·!·rpm·-q·--quiet·"$package";·then519 ··if·rpm·-q·--quiet·"$package";·then
476 ····dnf·install·-y·"$package"520 ····dnf·remove·-y·"$package"
477 ··fi521 ··fi
478 elif·which·yum·;·then522 elif·which·yum·;·then
479 ··if·!·rpm·-q·--quiet·"$package";·then523 ··if·rpm·-q·--quiet·"$package";·then
480 ····yum·install·-y·"$package"524 ····yum·remove·-y·"$package"
481 ··fi525 ··fi
482 elif·which·apt-get·;·then526 elif·which·apt-get·;·then
483 ··apt-get·install·-y·"$package"527 ··apt-get·remove·-y·"$package"
484 else528 else
485 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"529 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
486 ··echo·"Aborting."530 ··echo·"Aborting."
487 ··exit·1531 ··exit·1
488 fi532 fi
  
489 }533 }
  
490 package_install·tcp_wrappers534 package_remove·talk
491 #·END·fix·for·'package_tcp_wrappers_installed'535 #·END·fix·for·'package_talk_removed'
  
492 ###############################################################################536 ###############################################################################
493 #·BEGIN·fix·(13·/·213)·for·'package_talk_removed'537 #·BEGIN·fix·(14·/·213)·for·'package_talk-server_removed'
494 ###############################################################################538 ###############################################################################
495 (>&2·echo·"Remediating·rule·13/213:·'package_talk_removed'")539 (>&2·echo·"Remediating·rule·14/213:·'package_talk-server_removed'")
496 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.540 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
497 #541 #
498 #·Example·Call(s):542 #·Example·Call(s):
499 #543 #
500 #·····package_remove·telnet-server544 #·····package_remove·telnet-server
501 #545 #
502 function·package_remove·{546 function·package_remove·{
Offset 535, 65 lines modifiedOffset 579, 103 lines modified
535 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"579 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
536 ··echo·"Aborting."580 ··echo·"Aborting."
537 ··exit·1581 ··exit·1
Max diff block lines reached; 132822/137164 bytes (96.83%) of diff not shown.
74.1 KB
./usr/share/scap-security-guide/bash/ssg-centos7-role-cjis.sh
    
Offset 192, 17 lines modifiedOffset 192, 19 lines modified
192 ··fi192 ··fi
193 }193 }
  
194 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'194 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
195 #·END·fix·for·'sshd_set_keepalive'195 #·END·fix·for·'sshd_set_keepalive'
  
196 ###############################################################################196 ###############################################################################
197 #·BEGIN·fix·(3·/·102)·for·'sshd_enable_warning_banner'197 #·BEGIN·fix·(3·/·102)·for·'sshd_set_idle_timeout'
198 ###############################################################################198 ###############################################################################
199 (>&2·echo·"Remediating·rule·3/102:·'sshd_enable_warning_banner'")199 (>&2·echo·"Remediating·rule·3/102:·'sshd_set_idle_timeout'")
  
 200 sshd_idle_timeout_value="1800"
200 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if201 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
201 #·it·does·not·exist.202 #·it·does·not·exist.
202 #203 #
203 #·Expects·arguments:204 #·Expects·arguments:
204 #205 #
205 #·config_file:»  »  Configuration·file·that·will·be·modified206 #·config_file:»  »  Configuration·file·that·will·be·modified
206 #·key:»  »  »  Configuration·option·to·change207 #·key:»  »  »  Configuration·option·to·change
Offset 273, 21 lines modifiedOffset 275, 21 lines modified
273 ··else275 ··else
274 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline276 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
275 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"277 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
276 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"278 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
277 ··fi279 ··fi
278 }280 }
  
279 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'281 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
280 #·END·fix·for·'sshd_enable_warning_banner'282 #·END·fix·for·'sshd_set_idle_timeout'
  
281 ###############################################################################283 ###############################################################################
282 #·BEGIN·fix·(4·/·102)·for·'sshd_do_not_permit_user_env'284 #·BEGIN·fix·(4·/·102)·for·'sshd_enable_warning_banner'
283 ###############################################################################285 ###############################################################################
284 (>&2·echo·"Remediating·rule·4/102:·'sshd_do_not_permit_user_env'")286 (>&2·echo·"Remediating·rule·4/102:·'sshd_enable_warning_banner'")
285 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if287 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
286 #·it·does·not·exist.288 #·it·does·not·exist.
287 #289 #
288 #·Expects·arguments:290 #·Expects·arguments:
289 #291 #
290 #·config_file:»  »  Configuration·file·that·will·be·modified292 #·config_file:»  »  Configuration·file·that·will·be·modified
291 #·key:»  »  »  Configuration·option·to·change293 #·key:»  »  »  Configuration·option·to·change
Offset 358, 16 lines modifiedOffset 360, 16 lines modified
358 ··else360 ··else
359 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline361 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
360 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"362 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
361 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"363 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
362 ··fi364 ··fi
363 }365 }
  
364 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'366 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'
365 #·END·fix·for·'sshd_do_not_permit_user_env'367 #·END·fix·for·'sshd_enable_warning_banner'
  
366 ###############################################################################368 ###############################################################################
367 #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2'369 #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2'
368 ###############################################################################370 ###############################################################################
369 (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'")371 (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'")
370 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if372 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
371 #·it·does·not·exist.373 #·it·does·not·exist.
Offset 532, 19 lines modifiedOffset 534, 17 lines modified
532 ··fi534 ··fi
533 }535 }
  
534 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'536 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'
535 #·END·fix·for·'sshd_disable_rhosts'537 #·END·fix·for·'sshd_disable_rhosts'
  
536 ###############################################################################538 ###############################################################################
537 #·BEGIN·fix·(7·/·102)·for·'sshd_set_idle_timeout'539 #·BEGIN·fix·(7·/·102)·for·'sshd_do_not_permit_user_env'
538 ###############################################################################540 ###############################################################################
539 (>&2·echo·"Remediating·rule·7/102:·'sshd_set_idle_timeout'")541 (>&2·echo·"Remediating·rule·7/102:·'sshd_do_not_permit_user_env'")
  
540 sshd_idle_timeout_value="1800" 
541 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if542 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
542 #·it·does·not·exist.543 #·it·does·not·exist.
543 #544 #
544 #·Expects·arguments:545 #·Expects·arguments:
545 #546 #
546 #·config_file:»  »  Configuration·file·that·will·be·modified547 #·config_file:»  »  Configuration·file·that·will·be·modified
547 #·key:»  »  »  Configuration·option·to·change548 #·key:»  »  »  Configuration·option·to·change
Offset 615, 16 lines modifiedOffset 615, 16 lines modified
615 ··else615 ··else
616 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline616 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
617 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"617 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
618 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"618 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
619 ··fi619 ··fi
620 }620 }
  
621 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'621 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'
622 #·END·fix·for·'sshd_set_idle_timeout'622 #·END·fix·for·'sshd_do_not_permit_user_env'
  
623 ###############################################################################623 ###############################################################################
624 #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers'624 #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers'
625 ###############################################################################625 ###############################################################################
626 (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'")626 (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'")
627 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if627 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
628 #·it·does·not·exist.628 #·it·does·not·exist.
Offset 1193, 19 lines modifiedOffset 1193, 17 lines modified
1193 include_dconf_settings1193 include_dconf_settings
  
1194 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'1194 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'
1195 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'1195 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'
1196 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'1196 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'
  
1197 ###############################################################################1197 ###############################################################################
1198 #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_idle_delay'1198 #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_mode_blank'
1199 ###############################################################################1199 ###############################################################################
1200 (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_idle_delay'")1200 (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_mode_blank'")
  
1201 inactivity_timeout_value="1800" 
1202 function·include_dconf_settings·{1201 function·include_dconf_settings·{
1203 »       :1202 »       :
1204 }1203 }
  
1205 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.1204 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
1206 #1205 #
1207 #·Example·Call(s):1206 #·Example·Call(s):
Offset 1273, 22 lines modifiedOffset 1271, 24 lines modified
1273 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"1271 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"
1274 »       fi1272 »       fi
1275 }1273 }
  
  
1276 include_dconf_settings1274 include_dconf_settings
  
1277 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'1275 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'
1278 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'1276 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'
1279 #·END·fix·for·'dconf_gnome_screensaver_idle_delay'1277 #·END·fix·for·'dconf_gnome_screensaver_mode_blank'
  
Max diff block lines reached; 69231/75731 bytes (91.42%) of diff not shown.
98.1 KB
./usr/share/scap-security-guide/bash/ssg-centos7-role-hipaa.sh
    
Offset 285, 17 lines modifiedOffset 285, 61 lines modified
  
285 }285 }
  
286 package_remove·telnet-server286 package_remove·telnet-server
287 #·END·fix·for·'package_telnet-server_removed'287 #·END·fix·for·'package_telnet-server_removed'
  
288 ###############################################################################288 ###############################################################################
289 #·BEGIN·fix·(10·/·149)·for·'service_ypbind_disabled'289 #·BEGIN·fix·(10·/·149)·for·'package_ypbind_removed'
290 ###############################################################################290 ###############################################################################
291 (>&2·echo·"Remediating·rule·10/149:·'service_ypbind_disabled'")291 (>&2·echo·"Remediating·rule·10/149:·'package_ypbind_removed'")
 292 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 293 #
 294 #·Example·Call(s):
 295 #
 296 #·····package_remove·telnet-server
 297 #
 298 function·package_remove·{
  
 299 #·Load·function·arguments·into·local·variables
 300 local·package="$1"
  
 301 #·Check·sanity·of·the·input
 302 if·[·$#·-ne·"1"·]
 303 then
 304 ··echo·"Usage:·package_remove·'package_name'"
 305 ··echo·"Aborting."
 306 ··exit·1
 307 fi
  
 308 if·which·dnf·;·then
 309 ··if·rpm·-q·--quiet·"$package";·then
 310 ····dnf·remove·-y·"$package"
 311 ··fi
 312 elif·which·yum·;·then
 313 ··if·rpm·-q·--quiet·"$package";·then
 314 ····yum·remove·-y·"$package"
 315 ··fi
 316 elif·which·apt-get·;·then
 317 ··apt-get·remove·-y·"$package"
 318 else
 319 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 320 ··echo·"Aborting."
 321 ··exit·1
 322 fi
  
 323 }
  
 324 package_remove·ypbind
 325 #·END·fix·for·'package_ypbind_removed'
  
 326 ###############################################################################
 327 #·BEGIN·fix·(11·/·149)·for·'service_ypbind_disabled'
 328 ###############################################################################
 329 (>&2·echo·"Remediating·rule·11/149:·'service_ypbind_disabled'")
292 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.330 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
293 #331 #
294 #·Example·Call(s):332 #·Example·Call(s):
295 #333 #
296 #·····service_command·enable·bluetooth334 #·····service_command·enable·bluetooth
297 #·····service_command·disable·bluetooth.service335 #·····service_command·disable·bluetooth.service
298 #336 #
Offset 367, 58 lines modifiedOffset 411, 14 lines modified
  
367 }411 }
  
368 service_command·disable·ypbind412 service_command·disable·ypbind
369 #·END·fix·for·'service_ypbind_disabled'413 #·END·fix·for·'service_ypbind_disabled'
  
370 ###############################################################################414 ###############################################################################
371 #·BEGIN·fix·(11·/·149)·for·'package_ypbind_removed' 
372 ############################################################################### 
373 (>&2·echo·"Remediating·rule·11/149:·'package_ypbind_removed'") 
374 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
375 # 
376 #·Example·Call(s): 
377 # 
378 #·····package_remove·telnet-server 
379 # 
380 function·package_remove·{ 
  
381 #·Load·function·arguments·into·local·variables 
382 local·package="$1" 
  
383 #·Check·sanity·of·the·input 
384 if·[·$#·-ne·"1"·] 
385 then 
386 ··echo·"Usage:·package_remove·'package_name'" 
387 ··echo·"Aborting." 
388 ··exit·1 
389 fi 
  
390 if·which·dnf·;·then 
391 ··if·rpm·-q·--quiet·"$package";·then 
392 ····dnf·remove·-y·"$package" 
393 ··fi 
394 elif·which·yum·;·then 
395 ··if·rpm·-q·--quiet·"$package";·then 
396 ····yum·remove·-y·"$package" 
397 ··fi 
398 elif·which·apt-get·;·then 
399 ··apt-get·remove·-y·"$package" 
400 else 
401 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
402 ··echo·"Aborting." 
403 ··exit·1 
404 fi 
  
405 } 
  
406 package_remove·ypbind 
407 #·END·fix·for·'package_ypbind_removed' 
  
408 ############################################################################### 
409 #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed'415 #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed'
410 ###############################################################################416 ###############################################################################
411 (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'")417 (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'")
412 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.418 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
413 #419 #
414 #·Example·Call(s):420 #·Example·Call(s):
415 #421 #
Offset 922, 17 lines modifiedOffset 922, 17 lines modified
922 #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports'922 #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports'
923 ###############################################################################923 ###############################################################################
924 (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'")924 (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'")
925 #·FIX·FOR·THIS·RULE·IS·MISSING925 #·FIX·FOR·THIS·RULE·IS·MISSING
926 #·END·fix·for·'use_kerberos_security_all_exports'926 #·END·fix·for·'use_kerberos_security_all_exports'
  
Max diff block lines reached; 96537/100366 bytes (96.18%) of diff not shown.
226 KB
./usr/share/scap-security-guide/bash/ssg-centos7-role-nist-800-171-cui.sh
    
Offset 293, 17 lines modifiedOffset 293, 61 lines modified
  
293 }293 }
  
294 package_remove·telnet-server294 package_remove·telnet-server
295 #·END·fix·for·'package_telnet-server_removed'295 #·END·fix·for·'package_telnet-server_removed'
  
296 ###############################################################################296 ###############################################################################
297 #·BEGIN·fix·(10·/·358)·for·'service_ypbind_disabled'297 #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed'
298 ###############################################################################298 ###############################################################################
299 (>&2·echo·"Remediating·rule·10/358:·'service_ypbind_disabled'")299 (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'")
 300 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 301 #
 302 #·Example·Call(s):
 303 #
 304 #·····package_remove·telnet-server
 305 #
 306 function·package_remove·{
  
 307 #·Load·function·arguments·into·local·variables
 308 local·package="$1"
  
 309 #·Check·sanity·of·the·input
 310 if·[·$#·-ne·"1"·]
 311 then
 312 ··echo·"Usage:·package_remove·'package_name'"
 313 ··echo·"Aborting."
 314 ··exit·1
 315 fi
  
 316 if·which·dnf·;·then
 317 ··if·rpm·-q·--quiet·"$package";·then
 318 ····dnf·remove·-y·"$package"
 319 ··fi
 320 elif·which·yum·;·then
 321 ··if·rpm·-q·--quiet·"$package";·then
 322 ····yum·remove·-y·"$package"
 323 ··fi
 324 elif·which·apt-get·;·then
 325 ··apt-get·remove·-y·"$package"
 326 else
 327 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 328 ··echo·"Aborting."
 329 ··exit·1
 330 fi
  
 331 }
  
 332 package_remove·ypbind
 333 #·END·fix·for·'package_ypbind_removed'
  
 334 ###############################################################################
 335 #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled'
 336 ###############################################################################
 337 (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'")
300 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.338 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
301 #339 #
302 #·Example·Call(s):340 #·Example·Call(s):
303 #341 #
304 #·····service_command·enable·bluetooth342 #·····service_command·enable·bluetooth
305 #·····service_command·disable·bluetooth.service343 #·····service_command·disable·bluetooth.service
306 #344 #
Offset 375, 58 lines modifiedOffset 419, 14 lines modified
  
375 }419 }
  
376 service_command·disable·ypbind420 service_command·disable·ypbind
377 #·END·fix·for·'service_ypbind_disabled'421 #·END·fix·for·'service_ypbind_disabled'
  
378 ###############################################################################422 ###############################################################################
379 #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' 
380 ############################################################################### 
381 (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") 
382 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
383 # 
384 #·Example·Call(s): 
385 # 
386 #·····package_remove·telnet-server 
387 # 
388 function·package_remove·{ 
  
389 #·Load·function·arguments·into·local·variables 
390 local·package="$1" 
  
391 #·Check·sanity·of·the·input 
392 if·[·$#·-ne·"1"·] 
393 then 
394 ··echo·"Usage:·package_remove·'package_name'" 
395 ··echo·"Aborting." 
396 ··exit·1 
397 fi 
  
398 if·which·dnf·;·then 
399 ··if·rpm·-q·--quiet·"$package";·then 
400 ····dnf·remove·-y·"$package" 
401 ··fi 
402 elif·which·yum·;·then 
403 ··if·rpm·-q·--quiet·"$package";·then 
404 ····yum·remove·-y·"$package" 
405 ··fi 
406 elif·which·apt-get·;·then 
407 ··apt-get·remove·-y·"$package" 
408 else 
409 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
410 ··echo·"Aborting." 
411 ··exit·1 
412 fi 
  
413 } 
  
414 package_remove·ypbind 
415 #·END·fix·for·'package_ypbind_removed' 
  
416 ############################################################################### 
417 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'423 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'
418 ###############################################################################424 ###############################################################################
419 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")425 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")
420 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.426 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
421 #427 #
422 #·Example·Call(s):428 #·Example·Call(s):
423 #429 #
Offset 1428, 17 lines modifiedOffset 1428, 17 lines modified
1428 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'1428 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'
1429 ###############################################################################1429 ###############################################################################
1430 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")1430 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")
1431 #·FIX·FOR·THIS·RULE·IS·MISSING1431 #·FIX·FOR·THIS·RULE·IS·MISSING
1432 #·END·fix·for·'mount_option_nodev_remote_filesystems'1432 #·END·fix·for·'mount_option_nodev_remote_filesystems'
  
Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown.
226 KB
./usr/share/scap-security-guide/bash/ssg-centos7-role-ospp.sh
    
Offset 304, 17 lines modifiedOffset 304, 61 lines modified
  
304 }304 }
  
305 package_remove·telnet-server305 package_remove·telnet-server
306 #·END·fix·for·'package_telnet-server_removed'306 #·END·fix·for·'package_telnet-server_removed'
  
307 ###############################################################################307 ###############################################################################
308 #·BEGIN·fix·(10·/·358)·for·'service_ypbind_disabled'308 #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed'
309 ###############################################################################309 ###############################################################################
310 (>&2·echo·"Remediating·rule·10/358:·'service_ypbind_disabled'")310 (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'")
 311 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 312 #
 313 #·Example·Call(s):
 314 #
 315 #·····package_remove·telnet-server
 316 #
 317 function·package_remove·{
  
 318 #·Load·function·arguments·into·local·variables
 319 local·package="$1"
  
 320 #·Check·sanity·of·the·input
 321 if·[·$#·-ne·"1"·]
 322 then
 323 ··echo·"Usage:·package_remove·'package_name'"
 324 ··echo·"Aborting."
 325 ··exit·1
 326 fi
  
 327 if·which·dnf·;·then
 328 ··if·rpm·-q·--quiet·"$package";·then
 329 ····dnf·remove·-y·"$package"
 330 ··fi
 331 elif·which·yum·;·then
 332 ··if·rpm·-q·--quiet·"$package";·then
 333 ····yum·remove·-y·"$package"
 334 ··fi
 335 elif·which·apt-get·;·then
 336 ··apt-get·remove·-y·"$package"
 337 else
 338 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 339 ··echo·"Aborting."
 340 ··exit·1
 341 fi
  
 342 }
  
 343 package_remove·ypbind
 344 #·END·fix·for·'package_ypbind_removed'
  
 345 ###############################################################################
 346 #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled'
 347 ###############################################################################
 348 (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'")
311 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.349 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
312 #350 #
313 #·Example·Call(s):351 #·Example·Call(s):
314 #352 #
315 #·····service_command·enable·bluetooth353 #·····service_command·enable·bluetooth
316 #·····service_command·disable·bluetooth.service354 #·····service_command·disable·bluetooth.service
317 #355 #
Offset 386, 58 lines modifiedOffset 430, 14 lines modified
  
386 }430 }
  
387 service_command·disable·ypbind431 service_command·disable·ypbind
388 #·END·fix·for·'service_ypbind_disabled'432 #·END·fix·for·'service_ypbind_disabled'
  
389 ###############################################################################433 ###############################################################################
390 #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' 
391 ############################################################################### 
392 (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") 
393 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
394 # 
395 #·Example·Call(s): 
396 # 
397 #·····package_remove·telnet-server 
398 # 
399 function·package_remove·{ 
  
400 #·Load·function·arguments·into·local·variables 
401 local·package="$1" 
  
402 #·Check·sanity·of·the·input 
403 if·[·$#·-ne·"1"·] 
404 then 
405 ··echo·"Usage:·package_remove·'package_name'" 
406 ··echo·"Aborting." 
407 ··exit·1 
408 fi 
  
409 if·which·dnf·;·then 
410 ··if·rpm·-q·--quiet·"$package";·then 
411 ····dnf·remove·-y·"$package" 
412 ··fi 
413 elif·which·yum·;·then 
414 ··if·rpm·-q·--quiet·"$package";·then 
415 ····yum·remove·-y·"$package" 
416 ··fi 
417 elif·which·apt-get·;·then 
418 ··apt-get·remove·-y·"$package" 
419 else 
420 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
421 ··echo·"Aborting." 
422 ··exit·1 
423 fi 
  
424 } 
  
425 package_remove·ypbind 
426 #·END·fix·for·'package_ypbind_removed' 
  
427 ############################################################################### 
428 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'434 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'
429 ###############################################################################435 ###############################################################################
430 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")436 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")
431 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.437 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
432 #438 #
433 #·Example·Call(s):439 #·Example·Call(s):
434 #440 #
Offset 1439, 17 lines modifiedOffset 1439, 17 lines modified
1439 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'1439 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'
1440 ###############################################################################1440 ###############################################################################
1441 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")1441 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")
1442 #·FIX·FOR·THIS·RULE·IS·MISSING1442 #·FIX·FOR·THIS·RULE·IS·MISSING
1443 #·END·fix·for·'mount_option_nodev_remote_filesystems'1443 #·END·fix·for·'mount_option_nodev_remote_filesystems'
  
Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown.
60.4 KB
./usr/share/scap-security-guide/bash/ssg-centos7-role-pci-dss.sh
    
Offset 793, 19 lines modifiedOffset 793, 17 lines modified
793 include_dconf_settings793 include_dconf_settings
  
794 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'794 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'
795 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'795 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'
796 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'796 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'
  
797 ###############################################################################797 ###############################################################################
798 #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_idle_delay'798 #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_mode_blank'
799 ###############################################################################799 ###############################################################################
800 (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_idle_delay'")800 (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_mode_blank'")
  
801 inactivity_timeout_value="900" 
802 function·include_dconf_settings·{801 function·include_dconf_settings·{
803 »       :802 »       :
804 }803 }
  
805 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.804 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
806 #805 #
807 #·Example·Call(s):806 #·Example·Call(s):
Offset 873, 22 lines modifiedOffset 871, 24 lines modified
873 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"871 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"
874 »       fi872 »       fi
875 }873 }
  
  
876 include_dconf_settings874 include_dconf_settings
  
877 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'875 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'
878 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'876 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'
879 #·END·fix·for·'dconf_gnome_screensaver_idle_delay'877 #·END·fix·for·'dconf_gnome_screensaver_mode_blank'
  
880 ###############################################################################878 ###############################################################################
881 #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_mode_blank'879 #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_idle_delay'
882 ###############################################################################880 ###############################################################################
883 (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_mode_blank'")881 (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_idle_delay'")
  
 882 inactivity_timeout_value="900"
884 function·include_dconf_settings·{883 function·include_dconf_settings·{
885 »       :884 »       :
886 }885 }
  
887 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.886 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
888 #887 #
889 #·Example·Call(s):888 #·Example·Call(s):
Offset 956, 17 lines modifiedOffset 956, 17 lines modified
956 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"956 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"
957 »       fi957 »       fi
958 }958 }
  
  
959 include_dconf_settings959 include_dconf_settings
  
960 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'960 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'
961 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'961 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'
962 #·END·fix·for·'dconf_gnome_screensaver_mode_blank'962 #·END·fix·for·'dconf_gnome_screensaver_idle_delay'
  
963 ###############################################################################963 ###############################################################################
964 #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled'964 #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled'
965 ###############################################################################965 ###############################################################################
966 (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'")966 (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'")
967 function·include_dconf_settings·{967 function·include_dconf_settings·{
968 »       :968 »       :
Offset 2117, 72 lines modifiedOffset 2117, 72 lines modified
2117 ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG2117 ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG
2118 if·!·[·$?·-eq·0·];·then2118 if·!·[·$?·-eq·0·];·then
2119 ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG2119 ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG
2120 fi2120 fi
2121 #·END·fix·for·'auditd_data_retention_action_mail_acct'2121 #·END·fix·for·'auditd_data_retention_action_mail_acct'
  
2122 ###############################################################################2122 ###############################################################################
2123 #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_space_left_action'2123 #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_admin_space_left_action'
2124 ###############################################################################2124 ###############################################################################
2125 (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_space_left_action'")2125 (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_admin_space_left_action'")
  
2126 var_auditd_space_left_action="suspend" 
  
2127 grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\ 
2128 ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf 
2129 if·!·[·$?·-eq·0·];·then 
2130 ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf 
2131 fi 
2132 #·END·fix·for·'auditd_data_retention_space_left_action' 
  
2133 ############################################################################### 
2134 #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_admin_space_left_action' 
2135 ############################################################################### 
2136 (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_admin_space_left_action'") 
  
2137 var_auditd_admin_space_left_action="suspend"2126 var_auditd_admin_space_left_action="suspend"
  
2138 grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\2127 grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\
2139 ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf2128 ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf
2140 if·!·[·$?·-eq·0·];·then2129 if·!·[·$?·-eq·0·];·then
2141 ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf2130 ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf
2142 fi2131 fi
2143 #·END·fix·for·'auditd_data_retention_admin_space_left_action'2132 #·END·fix·for·'auditd_data_retention_admin_space_left_action'
  
2144 ###############################################################################2133 ###############################################################################
2145 #·BEGIN·fix·(50·/·94)·for·'auditd_data_retention_num_logs'2134 #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_max_log_file_action'
2146 ###############################################################################2135 ###############################################################################
2147 (>&2·echo·"Remediating·rule·50/94:·'auditd_data_retention_num_logs'")2136 (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_max_log_file_action'")
  
2148 var_auditd_num_logs="5"2137 var_auditd_max_log_file_action="rotate"
  
2149 AUDITCONFIG=/etc/audit/auditd.conf2138 AUDITCONFIG=/etc/audit/auditd.conf
  
2150 grep·-q·^num_logs·$AUDITCONFIG·&&·\2139 grep·-q·^max_log_file_action·$AUDITCONFIG·&&·\
2151 ··sed·-i·'s/^num_logs.*/num_logs·=·'"$var_auditd_num_logs"'/g'·$AUDITCONFIG2140 ··sed·-i·'s/^max_log_file_action.*/max_log_file_action·=·'"$var_auditd_max_log_file_action"'/g'·$AUDITCONFIG
2152 if·!·[·$?·-eq·0·];·then2141 if·!·[·$?·-eq·0·];·then
2153 ··echo·"num_logs·=·$var_auditd_num_logs"·>>·$AUDITCONFIG2142 ··echo·"max_log_file_action·=·$var_auditd_max_log_file_action"·>>·$AUDITCONFIG
2154 fi2143 fi
2155 #·END·fix·for·'auditd_data_retention_num_logs'2144 #·END·fix·for·'auditd_data_retention_max_log_file_action'
  
2156 ###############################################################################2145 ###############################################################################
2157 #·BEGIN·fix·(51·/·94)·for·'auditd_data_retention_max_log_file_action'2146 #·BEGIN·fix·(50·/·94)·for·'auditd_data_retention_space_left_action'
2158 ###############################################################################2147 ###############################################################################
2159 (>&2·echo·"Remediating·rule·51/94:·'auditd_data_retention_max_log_file_action'")2148 (>&2·echo·"Remediating·rule·50/94:·'auditd_data_retention_space_left_action'")
  
2160 var_auditd_max_log_file_action="rotate"2149 var_auditd_space_left_action="suspend"
  
 2150 grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\
 2151 ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf
 2152 if·!·[·$?·-eq·0·];·then
 2153 ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf
 2154 fi
 2155 #·END·fix·for·'auditd_data_retention_space_left_action'
  
Max diff block lines reached; 54266/61706 bytes (87.94%) of diff not shown.
8.84 KB
./usr/share/scap-security-guide/bash/ssg-centos7-role-rht-ccp.sh
    
Offset 376, 17 lines modifiedOffset 376, 19 lines modified
376 ··fi376 ··fi
377 }377 }
  
378 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'378 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
379 #·END·fix·for·'sshd_set_keepalive'379 #·END·fix·for·'sshd_set_keepalive'
  
380 ###############################################################################380 ###############################################################################
381 #·BEGIN·fix·(7·/·70)·for·'sshd_enable_warning_banner'381 #·BEGIN·fix·(7·/·70)·for·'sshd_set_idle_timeout'
382 ###############################################################################382 ###############################################################################
383 (>&2·echo·"Remediating·rule·7/70:·'sshd_enable_warning_banner'")383 (>&2·echo·"Remediating·rule·7/70:·'sshd_set_idle_timeout'")
  
 384 sshd_idle_timeout_value="300"
384 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if385 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
385 #·it·does·not·exist.386 #·it·does·not·exist.
386 #387 #
387 #·Expects·arguments:388 #·Expects·arguments:
388 #389 #
389 #·config_file:»  »  Configuration·file·that·will·be·modified390 #·config_file:»  »  Configuration·file·that·will·be·modified
390 #·key:»  »  »  Configuration·option·to·change391 #·key:»  »  »  Configuration·option·to·change
Offset 457, 21 lines modifiedOffset 459, 21 lines modified
457 ··else459 ··else
458 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline460 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
459 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"461 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
460 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"462 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
461 ··fi463 ··fi
462 }464 }
  
463 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'465 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
464 #·END·fix·for·'sshd_enable_warning_banner'466 #·END·fix·for·'sshd_set_idle_timeout'
  
465 ###############################################################################467 ###############################################################################
466 #·BEGIN·fix·(8·/·70)·for·'sshd_do_not_permit_user_env'468 #·BEGIN·fix·(8·/·70)·for·'sshd_enable_warning_banner'
467 ###############################################################################469 ###############################################################################
468 (>&2·echo·"Remediating·rule·8/70:·'sshd_do_not_permit_user_env'")470 (>&2·echo·"Remediating·rule·8/70:·'sshd_enable_warning_banner'")
469 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if471 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
470 #·it·does·not·exist.472 #·it·does·not·exist.
471 #473 #
472 #·Expects·arguments:474 #·Expects·arguments:
473 #475 #
474 #·config_file:»  »  Configuration·file·that·will·be·modified476 #·config_file:»  »  Configuration·file·that·will·be·modified
475 #·key:»  »  »  Configuration·option·to·change477 #·key:»  »  »  Configuration·option·to·change
Offset 542, 16 lines modifiedOffset 544, 16 lines modified
542 ··else544 ··else
543 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline545 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
544 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"546 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
545 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"547 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
546 ··fi548 ··fi
547 }549 }
  
548 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'550 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'
549 #·END·fix·for·'sshd_do_not_permit_user_env'551 #·END·fix·for·'sshd_enable_warning_banner'
  
550 ###############################################################################552 ###############################################################################
551 #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2'553 #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2'
552 ###############################################################################554 ###############################################################################
553 (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'")555 (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'")
554 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if556 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
555 #·it·does·not·exist.557 #·it·does·not·exist.
Offset 716, 19 lines modifiedOffset 718, 17 lines modified
716 ··fi718 ··fi
717 }719 }
  
718 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'720 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'
719 #·END·fix·for·'sshd_disable_rhosts'721 #·END·fix·for·'sshd_disable_rhosts'
  
720 ###############################################################################722 ###############################################################################
721 #·BEGIN·fix·(11·/·70)·for·'sshd_set_idle_timeout'723 #·BEGIN·fix·(11·/·70)·for·'sshd_do_not_permit_user_env'
722 ###############################################################################724 ###############################################################################
723 (>&2·echo·"Remediating·rule·11/70:·'sshd_set_idle_timeout'")725 (>&2·echo·"Remediating·rule·11/70:·'sshd_do_not_permit_user_env'")
  
724 sshd_idle_timeout_value="300" 
725 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if726 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
726 #·it·does·not·exist.727 #·it·does·not·exist.
727 #728 #
728 #·Expects·arguments:729 #·Expects·arguments:
729 #730 #
730 #·config_file:»  »  Configuration·file·that·will·be·modified731 #·config_file:»  »  Configuration·file·that·will·be·modified
731 #·key:»  »  »  Configuration·option·to·change732 #·key:»  »  »  Configuration·option·to·change
Offset 799, 16 lines modifiedOffset 799, 16 lines modified
799 ··else799 ··else
800 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline800 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
801 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"801 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
802 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"802 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
803 ··fi803 ··fi
804 }804 }
  
805 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'805 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'
806 #·END·fix·for·'sshd_set_idle_timeout'806 #·END·fix·for·'sshd_do_not_permit_user_env'
  
807 ###############################################################################807 ###############################################################################
808 #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers'808 #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers'
809 ###############################################################################809 ###############################################################################
810 (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'")810 (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'")
811 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if811 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
812 #·it·does·not·exist.812 #·it·does·not·exist.
Offset 1502, 26 lines modifiedOffset 1502, 26 lines modified
1502 ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs1502 ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs
1503 if·!·[·$?·-eq·0·];·then1503 if·!·[·$?·-eq·0·];·then
1504 ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs1504 ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs
1505 fi1505 fi
1506 #·END·fix·for·'accounts_minimum_age_login_defs'1506 #·END·fix·for·'accounts_minimum_age_login_defs'
  
1507 ###############################################################################1507 ###############################################################################
1508 #·BEGIN·fix·(34·/·70)·for·'accounts_no_uid_except_zero'1508 #·BEGIN·fix·(34·/·70)·for·'no_shelllogin_for_systemaccounts'
1509 ###############################################################################1509 ###############################################################################
1510 (>&2·echo·"Remediating·rule·34/70:·'accounts_no_uid_except_zero'")1510 (>&2·echo·"Remediating·rule·34/70:·'no_shelllogin_for_systemaccounts'")
1511 awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l1511 #·FIX·FOR·THIS·RULE·IS·MISSING
1512 #·END·fix·for·'accounts_no_uid_except_zero'1512 #·END·fix·for·'no_shelllogin_for_systemaccounts'
  
1513 ###############################################################################1513 ###############################################################################
1514 #·BEGIN·fix·(35·/·70)·for·'no_shelllogin_for_systemaccounts'1514 #·BEGIN·fix·(35·/·70)·for·'accounts_no_uid_except_zero'
1515 ###############################################################################1515 ###############################################################################
1516 (>&2·echo·"Remediating·rule·35/70:·'no_shelllogin_for_systemaccounts'")1516 (>&2·echo·"Remediating·rule·35/70:·'accounts_no_uid_except_zero'")
1517 #·FIX·FOR·THIS·RULE·IS·MISSING1517 awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l
1518 #·END·fix·for·'no_shelllogin_for_systemaccounts'1518 #·END·fix·for·'accounts_no_uid_except_zero'
  
1519 ###############################################################################1519 ###############################################################################
1520 #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed'1520 #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed'
1521 ###############################################################################1521 ###############################################################################
1522 (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'")1522 (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'")
1523 #·FIX·FOR·THIS·RULE·IS·MISSING1523 #·FIX·FOR·THIS·RULE·IS·MISSING
1524 #·END·fix·for·'accounts_password_all_shadowed'1524 #·END·fix·for·'accounts_password_all_shadowed'
Offset 2267, 37 lines modifiedOffset 2267, 37 lines modified
2267 ###############################################################################2267 ###############################################################################
2268 (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'")2268 (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'")
  
2269 chmod·0644·/etc/passwd2269 chmod·0644·/etc/passwd
Max diff block lines reached; 1963/8920 bytes (22.01%) of diff not shown.
53.2 KB
./usr/share/scap-security-guide/bash/ssg-centos7-role-standard.sh
    
Offset 1476, 158 lines modifiedOffset 1476, 17 lines modified
1476 }1476 }
  
1477 fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules"1477 fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules"
1478 fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules"1478 fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules"
1479 #·END·fix·for·'audit_rules_kernel_module_loading'1479 #·END·fix·for·'audit_rules_kernel_module_loading'
  
1480 ###############################################################################1480 ###############################################################################
1481 #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_watch_localtime'1481 #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_stime'
1482 ###############################################################################1482 ###############################################################################
1483 (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_watch_localtime'")1483 (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_stime'")
  
  
1484 #·Perform·the·remediation·for·both·possible·tools:·'auditctl'·and·'augenrules' 
1485 #·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: 
1486 #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements 
1487 #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect 
1488 #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules 
1489 # 
1490 #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: 
1491 #·*·audit·tool»    »    »    »    tool·used·to·load·audit·rules, 
1492 #·»      »      »      »      »      either·'auditctl',·or·'augenrules' 
1493 #·*·path························» value·of·-w·audit·rule's·argument 
1494 #·*·required·access·bits········»   value·of·-p·audit·rule's·argument 
1495 #·*·key·························»  value·of·-k·audit·rule's·argument 
1496 # 
1497 #·Example·call: 
1498 # 
1499 #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" 
1500 # 
1501 function·fix_audit_watch_rule·{ 
  
1502 #·Load·function·arguments·into·local·variables 
1503 local·tool="$1" 
1504 local·path="$2" 
1505 local·required_access_bits="$3" 
1506 local·key="$4" 
  
1507 #·Check·sanity·of·the·input 
1508 if·[·$#·-ne·"4"·] 
1509 then 
1510 »       echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" 
1511 »       echo·"Aborting." 
1512 »       exit·1 
1513 fi 
  
1514 #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness 
1515 #·of·a·particular·audit·rule.·The·scheme·is·as·follows: 
1516 # 
1517 #·----------------------------------------------------------------------------------------- 
1518 #·Tool·used·to·load·audit·rules»      |·Rule·already·defined»   |··Audit·rules·file·to·inspect»   ··| 
1519 #·----------------------------------------------------------------------------------------- 
1520 #»      auditctl»      »      |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| 
1521 #·----------------------------------------------------------------------------------------- 
1522 #·»      augenrules»    »    |··········Yes»»|··/etc/audit/rules.d/*.rules»     ··| 
1523 #·»      augenrules»    »    |··········No» » |··/etc/audit/rules.d/$key.rules··| 
1524 #·----------------------------------------------------------------------------------------- 
1525 declare·-a·files_to_inspect 
  
1526 #·Check·sanity·of·the·specified·audit·tool 
1527 if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] 
1528 then 
1529 »       echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." 
1530 »       echo·"Use·either·'auditctl'·or·'augenrules'!" 
1531 »       exit·1 
1532 #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' 
1533 #·into·the·list·of·files·to·be·inspected 
1534 elif·[·"$tool"·==·'auditctl'·] 
1535 then 
1536 »       files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') 
1537 #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined 
1538 #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. 
1539 #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. 
1540 elif·[·"$tool"·==·'augenrules'·] 
1541 then 
1542 »       #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file 
1543 »       #·Get·pair·--·filepath·:·matching_row·into·@matches·array 
1544 »       IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) 
1545 »       #·Reset·IFS·back·to·default 
1546 »       unset·IFS 
1547 »       #·For·each·of·the·matched·entries 
1548 »       for·match·in·"${matches[@]}" 
1549 »       do 
1550 »       »       #·Extract·filepath·from·the·match 
1551 »       »       rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') 
1552 »       »       #·Append·that·path·into·list·of·files·for·inspection 
1553 »       »       files_to_inspect=("${files_to_inspect[@]}"·"$rulesd_audit_file") 
1554 »       done 
1555 »       #·Case·when·particular·audit·rule·isn't·defined·yet 
1556 »       if·[·${#files_to_inspect[@]}·-eq·"0"·] 
1557 »       then 
1558 »       »       #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection 
1559 »       »       files_to_inspect="/etc/audit/rules.d/$key.rules" 
1560 »       »       #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions 
1561 »       »       if·[·!·-e·"$files_to_inspect"·] 
1562 »       »       then 
1563 »       »       »       touch·"$files_to_inspect" 
1564 »       »       »       chmod·0640·"$files_to_inspect" 
1565 »       »       fi 
1566 »       fi 
1567 fi 
  
1568 #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule 
1569 #·correction·for·each·of·the·files·previously·identified·for·inspection 
1570 for·audit_rules_file·in·"${files_to_inspect[@]}" 
1571 do 
  
1572 »       #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present 
1573 »       if·grep·-q·-P·--·"[\s]*-w[\s]+$path"·"$audit_rules_file" 
1574 »       then 
1575 »       »       #·Rule·is·found·=>·verify·yet·if·existing·rule·definition·contains 
1576 »       »       #·all·of·the·required·access·type·bits 
  
1577 »       »       #·Escape·slashes·in·path·for·use·in·sed·pattern·below 
1578 »       »       local·esc_path=${path//$'/'/$'\/'} 
1579 »       »       #·Define·BRE·whitespace·class·shortcut 
1580 »       »       local·sp="[[:space:]]" 
1581 »       »       #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule 
1582 »       »       current_access_bits=$(sed·-ne·"s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p"·"$audit_rules_file") 
1583 »       »       #·Split·required·access·bits·string·into·characters·array 
1584 »       »       #·(to·check·bit's·presence·for·one·bit·at·a·time) 
1585 »       »       for·access_bit·in·$(echo·"$required_access_bits"·|·grep·-o·.) 
1586 »       »       do 
1587 »       »       »       #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check 
1588 »       »       »       #·if·they·are·already·present·in·current·access·bits·for·rule. 
1589 »       »       »       #·If·not,·append·that·bit·at·the·end 
1590 »       »       »       if·!·grep·-q·"$access_bit"·<<<·"$current_access_bits" 
1591 »       »       »       then 
Max diff block lines reached; 47569/54366 bytes (87.50%) of diff not shown.
126 KB
./usr/share/scap-security-guide/bash/ssg-centos7-role-stig-rhel7-disa.sh
    
Offset 496, 17 lines modifiedOffset 496, 17 lines modified
496 #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems'496 #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems'
497 ###############################################################################497 ###############################################################################
498 (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'")498 (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'")
499 #·FIX·FOR·THIS·RULE·IS·MISSING499 #·FIX·FOR·THIS·RULE·IS·MISSING
500 #·END·fix·for·'mount_option_nosuid_remote_filesystems'500 #·END·fix·for·'mount_option_nosuid_remote_filesystems'
  
501 ###############################################################################501 ###############################################################################
502 #·BEGIN·fix·(23·/·243)·for·'sshd_disable_user_known_hosts'502 #·BEGIN·fix·(23·/·243)·for·'sshd_enable_strictmodes'
503 ###############################################################################503 ###############################################################################
504 (>&2·echo·"Remediating·rule·23/243:·'sshd_disable_user_known_hosts'")504 (>&2·echo·"Remediating·rule·23/243:·'sshd_enable_strictmodes'")
505 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if505 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
506 #·it·does·not·exist.506 #·it·does·not·exist.
507 #507 #
508 #·Expects·arguments:508 #·Expects·arguments:
509 #509 #
510 #·config_file:»  »  Configuration·file·that·will·be·modified510 #·config_file:»  »  Configuration·file·that·will·be·modified
511 #·key:»  »  »  Configuration·option·to·change511 #·key:»  »  »  Configuration·option·to·change
Offset 577, 21 lines modifiedOffset 577, 21 lines modified
577 ··else577 ··else
578 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline578 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
579 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"579 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
580 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"580 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
581 ··fi581 ··fi
582 }582 }
  
583 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreUserKnownHosts'·'yes'·'CCE-80372-6'·'%s·%s'583 replace_or_append·'/etc/ssh/sshd_config'·'^StrictModes'·'yes'·'CCE-80222-3'·'%s·%s'
584 #·END·fix·for·'sshd_disable_user_known_hosts'584 #·END·fix·for·'sshd_enable_strictmodes'
  
585 ###############################################################################585 ###############################################################################
586 #·BEGIN·fix·(24·/·243)·for·'sshd_disable_empty_passwords'586 #·BEGIN·fix·(24·/·243)·for·'sshd_disable_user_known_hosts'
587 ###############################################################################587 ###############################################################################
588 (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_empty_passwords'")588 (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_user_known_hosts'")
589 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if589 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
590 #·it·does·not·exist.590 #·it·does·not·exist.
591 #591 #
592 #·Expects·arguments:592 #·Expects·arguments:
593 #593 #
594 #·config_file:»  »  Configuration·file·that·will·be·modified594 #·config_file:»  »  Configuration·file·that·will·be·modified
595 #·key:»  »  »  Configuration·option·to·change595 #·key:»  »  »  Configuration·option·to·change
Offset 662, 21 lines modifiedOffset 662, 21 lines modified
662 ··else662 ··else
663 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline663 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
664 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"664 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
665 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"665 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
666 ··fi666 ··fi
667 }667 }
  
668 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'668 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreUserKnownHosts'·'yes'·'CCE-80372-6'·'%s·%s'
669 #·END·fix·for·'sshd_disable_empty_passwords'669 #·END·fix·for·'sshd_disable_user_known_hosts'
  
670 ###############################################################################670 ###############################################################################
671 #·BEGIN·fix·(25·/·243)·for·'sshd_set_keepalive'671 #·BEGIN·fix·(25·/·243)·for·'sshd_disable_empty_passwords'
672 ###############################################################################672 ###############################################################################
673 (>&2·echo·"Remediating·rule·25/243:·'sshd_set_keepalive'")673 (>&2·echo·"Remediating·rule·25/243:·'sshd_disable_empty_passwords'")
674 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if674 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
675 #·it·does·not·exist.675 #·it·does·not·exist.
676 #676 #
677 #·Expects·arguments:677 #·Expects·arguments:
678 #678 #
679 #·config_file:»  »  Configuration·file·that·will·be·modified679 #·config_file:»  »  Configuration·file·that·will·be·modified
680 #·key:»  »  »  Configuration·option·to·change680 #·key:»  »  »  Configuration·option·to·change
Offset 747, 21 lines modifiedOffset 747, 21 lines modified
747 ··else747 ··else
748 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline748 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
749 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"749 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
750 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"750 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
751 ··fi751 ··fi
752 }752 }
  
753 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'753 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'
754 #·END·fix·for·'sshd_set_keepalive'754 #·END·fix·for·'sshd_disable_empty_passwords'
  
755 ###############################################################################755 ###############################################################################
756 #·BEGIN·fix·(26·/·243)·for·'sshd_disable_rhosts_rsa'756 #·BEGIN·fix·(26·/·243)·for·'sshd_set_keepalive'
757 ###############################################################################757 ###############################################################################
758 (>&2·echo·"Remediating·rule·26/243:·'sshd_disable_rhosts_rsa'")758 (>&2·echo·"Remediating·rule·26/243:·'sshd_set_keepalive'")
759 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if759 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
760 #·it·does·not·exist.760 #·it·does·not·exist.
761 #761 #
762 #·Expects·arguments:762 #·Expects·arguments:
763 #763 #
764 #·config_file:»  »  Configuration·file·that·will·be·modified764 #·config_file:»  »  Configuration·file·that·will·be·modified
765 #·key:»  »  »  Configuration·option·to·change765 #·key:»  »  »  Configuration·option·to·change
Offset 832, 21 lines modifiedOffset 832, 23 lines modified
832 ··else832 ··else
833 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline833 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
834 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"834 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
835 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"835 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
836 ··fi836 ··fi
837 }837 }
  
838 replace_or_append·'/etc/ssh/sshd_config'·'^RhostsRSAAuthentication'·'no'·'CCE-80373-4'·'%s·%s'838 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
839 #·END·fix·for·'sshd_disable_rhosts_rsa'839 #·END·fix·for·'sshd_set_keepalive'
  
840 ###############################################################################840 ###############################################################################
841 #·BEGIN·fix·(27·/·243)·for·'sshd_enable_warning_banner'841 #·BEGIN·fix·(27·/·243)·for·'sshd_set_idle_timeout'
842 ###############################################################################842 ###############################################################################
843 (>&2·echo·"Remediating·rule·27/243:·'sshd_enable_warning_banner'")843 (>&2·echo·"Remediating·rule·27/243:·'sshd_set_idle_timeout'")
  
 844 sshd_idle_timeout_value="600"
844 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if845 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
845 #·it·does·not·exist.846 #·it·does·not·exist.
846 #847 #
847 #·Expects·arguments:848 #·Expects·arguments:
848 #849 #
849 #·config_file:»  »  Configuration·file·that·will·be·modified850 #·config_file:»  »  Configuration·file·that·will·be·modified
850 #·key:»  »  »  Configuration·option·to·change851 #·key:»  »  »  Configuration·option·to·change
Offset 917, 23 lines modifiedOffset 919, 21 lines modified
917 ··else919 ··else
918 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline920 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
919 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"921 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
920 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"922 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
921 ··fi923 ··fi
922 }924 }
  
923 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'925 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
924 #·END·fix·for·'sshd_enable_warning_banner'926 #·END·fix·for·'sshd_set_idle_timeout'
  
925 ###############################################################################927 ###############################################################################
926 #·BEGIN·fix·(28·/·243)·for·'sshd_use_approved_macs'928 #·BEGIN·fix·(28·/·243)·for·'sshd_enable_warning_banner'
927 ###############################################################################929 ###############################################################################
928 (>&2·echo·"Remediating·rule·28/243:·'sshd_use_approved_macs'")930 (>&2·echo·"Remediating·rule·28/243:·'sshd_enable_warning_banner'")
  
929 sshd_approved_macs="hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com" 
930 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if931 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
931 #·it·does·not·exist.932 #·it·does·not·exist.
932 #933 #
Max diff block lines reached; 122126/129181 bytes (94.54%) of diff not shown.
5.24 KB
./usr/share/scap-security-guide/bash/ssg-rhel-osp7-role-stig-openstack.sh
    
Offset 39, 44 lines modifiedOffset 39, 44 lines modified
39 #·BEGIN·fix·(3·/·32)·for·'cinder_using_keystone'39 #·BEGIN·fix·(3·/·32)·for·'cinder_using_keystone'
40 ###############################################################################40 ###############################################################################
41 (>&2·echo·"Remediating·rule·3/32:·'cinder_using_keystone'")41 (>&2·echo·"Remediating·rule·3/32:·'cinder_using_keystone'")
42 openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone42 openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·auth_strategy·keystone
43 #·END·fix·for·'cinder_using_keystone'43 #·END·fix·for·'cinder_using_keystone'
  
44 ###############################################################################44 ###############################################################################
45 #·BEGIN·fix·(4·/·32)·for·'cinder_tls_enabled'45 #·BEGIN·fix·(4·/·32)·for·'cinder_nova_tls'
46 ###############################################################################46 ###############################################################################
47 (>&2·echo·"Remediating·rule·4/32:·'cinder_tls_enabled'")47 (>&2·echo·"Remediating·rule·4/32:·'cinder_nova_tls'")
 48 openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False
 49 #·END·fix·for·'cinder_nova_tls'
  
 50 ###############################################################################
 51 #·BEGIN·fix·(5·/·32)·for·'cinder_tls_enabled'
 52 ###############################################################################
 53 (>&2·echo·"Remediating·rule·5/32:·'cinder_tls_enabled'")
48 OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri)54 OLD_IDENTITY_URL=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri)
49 NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}"55 NEW_IDENTITY_URI="${OLD_IDENTITY_URI:0:4}s${OLD_IDENTITY_URI:4:-1}"
50 openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI56 openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·identity_uri·$NEW_IDENTIY_URI
  
51 OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri)57 OLD_AUTH_URI=$(openstack-config·--get·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri)
52 NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}"58 NEW_AUTH_URI="${OLD_AUTH_URI:0:4}s${OLD_AUTH_URI:4:-1}"
53 openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI59 openstack-config·--set·/etc/cinder/cinder.conf·keystone_authtoken·auth_uri·$NEW_AUTH_URI
54 #·END·fix·for·'cinder_tls_enabled'60 #·END·fix·for·'cinder_tls_enabled'
  
55 ###############################################################################61 ###############################################################################
56 #·BEGIN·fix·(5·/·32)·for·'cinder_file_perms'62 #·BEGIN·fix·(6·/·32)·for·'cinder_file_perms'
57 ###############################################################################63 ###############################################################################
58 (>&2·echo·"Remediating·rule·5/32:·'cinder_file_perms'")64 (>&2·echo·"Remediating·rule·6/32:·'cinder_file_perms'")
59 chmod·640·/etc/cinder/cinder.conf65 chmod·640·/etc/cinder/cinder.conf
60 chmod·640·/etc/cinder/api-paste.ini66 chmod·640·/etc/cinder/api-paste.ini
61 chmod·640·/etc/cinder/policy.json67 chmod·640·/etc/cinder/policy.json
62 chmod·640·/etc/cinder/rootwrap.conf68 chmod·640·/etc/cinder/rootwrap.conf
63 #·END·fix·for·'cinder_file_perms'69 #·END·fix·for·'cinder_file_perms'
  
64 ###############################################################################70 ###############################################################################
65 #·BEGIN·fix·(6·/·32)·for·'cinder_nova_tls' 
66 ############################################################################### 
67 (>&2·echo·"Remediating·rule·6/32:·'cinder_nova_tls'") 
68 openstack-config·--set·/etc/cinder/cinder.conf·DEFAULT·nova_api_insecure·False 
69 #·END·fix·for·'cinder_nova_tls' 
  
70 ############################################################################### 
71 #·BEGIN·fix·(7·/·32)·for·'cinder_file_ownership'71 #·BEGIN·fix·(7·/·32)·for·'cinder_file_ownership'
72 ###############################################################################72 ###############################################################################
73 (>&2·echo·"Remediating·rule·7/32:·'cinder_file_ownership'")73 (>&2·echo·"Remediating·rule·7/32:·'cinder_file_ownership'")
74 for·file·in·/etc/cinder/cinder.conf·\74 for·file·in·/etc/cinder/cinder.conf·\
75 »       »       /etc/cinder/api-paste.ini·\75 »       »       /etc/cinder/api-paste.ini·\
76 »       »       /etc/cinder/policy.json·\76 »       »       /etc/cinder/policy.json·\
77 »       »       /etc/cinder/rootwrap.conf;·do77 »       »       /etc/cinder/rootwrap.conf;·do
Offset 239, 31 lines modifiedOffset 239, 31 lines modified
239 #·BEGIN·fix·(27·/·32)·for·'horizon_session_cookie_secure'239 #·BEGIN·fix·(27·/·32)·for·'horizon_session_cookie_secure'
240 ###############################################################################240 ###############################################################################
241 (>&2·echo·"Remediating·rule·27/32:·'horizon_session_cookie_secure'")241 (>&2·echo·"Remediating·rule·27/32:·'horizon_session_cookie_secure'")
242 openstack-config·--set·/etc/openstack-dashboard/local_settings·DEFAULT·SESSION_COOKIE_SECURE·True242 openstack-config·--set·/etc/openstack-dashboard/local_settings·DEFAULT·SESSION_COOKIE_SECURE·True
243 #·END·fix·for·'horizon_session_cookie_secure'243 #·END·fix·for·'horizon_session_cookie_secure'
  
244 ###############################################################################244 ###############################################################################
245 #·BEGIN·fix·(28·/·32)·for·'neutron_file_perms'245 #·BEGIN·fix·(28·/·32)·for·'neutron_use_keystone'
246 ###############################################################################246 ###############################################################################
247 (>&2·echo·"Remediating·rule·28/32:·'neutron_file_perms'")247 (>&2·echo·"Remediating·rule·28/32:·'neutron_use_keystone'")
 248 openstack-config·--set·/etc/neutron/neutron.conf·DEFAULT·auth_strategy·keystone
 249 #·END·fix·for·'neutron_use_keystone'
  
 250 ###############################################################################
 251 #·BEGIN·fix·(29·/·32)·for·'neutron_file_perms'
 252 ###############################################################################
 253 (>&2·echo·"Remediating·rule·29/32:·'neutron_file_perms'")
248 chmod·640·/etc/neutron/neutron.conf254 chmod·640·/etc/neutron/neutron.conf
249 chmod·640·/etc/neutron/api-paste.ini255 chmod·640·/etc/neutron/api-paste.ini
250 chmod·640·/etc/neutron/policy.json256 chmod·640·/etc/neutron/policy.json
251 chmod·640·/etc/neutron/rootwrap.conf257 chmod·640·/etc/neutron/rootwrap.conf
252 #·END·fix·for·'neutron_file_perms'258 #·END·fix·for·'neutron_file_perms'
  
253 ###############################################################################259 ###############################################################################
254 #·BEGIN·fix·(29·/·32)·for·'neutron_use_keystone' 
255 ############################################################################### 
256 (>&2·echo·"Remediating·rule·29/32:·'neutron_use_keystone'") 
257 openstack-config·--set·/etc/neutron/neutron.conf·DEFAULT·auth_strategy·keystone 
258 #·END·fix·for·'neutron_use_keystone' 
  
259 ############################################################################### 
260 #·BEGIN·fix·(30·/·32)·for·'neutron_use_https'260 #·BEGIN·fix·(30·/·32)·for·'neutron_use_https'
261 ###############################################################################261 ###############################################################################
262 (>&2·echo·"Remediating·rule·30/32:·'neutron_use_https'")262 (>&2·echo·"Remediating·rule·30/32:·'neutron_use_https'")
263 STR_IDENTITY_URI=$(openstack-config·--get·/etc/neutron/neutron.conf·keystone_authtoken·identity_uri)263 STR_IDENTITY_URI=$(openstack-config·--get·/etc/neutron/neutron.conf·keystone_authtoken·identity_uri)
264 NEW_IDENTITY_URI=${STR_IDENTITY_URI:0:4}s${STR_IDENTITY_URI:4:-1}264 NEW_IDENTITY_URI=${STR_IDENTITY_URI:0:4}s${STR_IDENTITY_URI:4:-1}
265 openstack-config·--set·/etc/neutron/neutron.conf·keystone_authtoken·identity_uri·$NEW_IDENTITY_URI265 openstack-config·--set·/etc/neutron/neutron.conf·keystone_authtoken·identity_uri·$NEW_IDENTITY_URI
  
329 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-C2S.sh
    
Offset 27, 17 lines modifiedOffset 27, 17 lines modified
27 #27 #
28 #·How·to·apply·this·remediation·role:28 #·How·to·apply·this·remediation·role:
29 #·$·sudo·./remediation-role.sh29 #·$·sudo·./remediation-role.sh
30 #30 #
31 ###############################################################################31 ###############################################################################
  
32 ###############################################################################32 ###############################################################################
33 #·BEGIN·fix·(1·/·188)·for·'package_samba_removed'33 #·BEGIN·fix·(1·/·188)·for·'package_vsftpd_removed'
34 ###############################################################################34 ###############################################################################
35 (>&2·echo·"Remediating·rule·1/188:·'package_samba_removed'")35 (>&2·echo·"Remediating·rule·1/188:·'package_vsftpd_removed'")
36 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.36 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
37 #37 #
38 #·Example·Call(s):38 #·Example·Call(s):
39 #39 #
40 #·····package_remove·telnet-server40 #·····package_remove·telnet-server
41 #41 #
42 function·package_remove·{42 function·package_remove·{
Offset 67, 16 lines modifiedOffset 67, 16 lines modified
67 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"67 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
68 ··echo·"Aborting."68 ··echo·"Aborting."
69 ··exit·169 ··exit·1
70 fi70 fi
  
71 }71 }
  
72 package_remove·samba72 package_remove·vsftpd
73 #·END·fix·for·'package_samba_removed'73 #·END·fix·for·'package_vsftpd_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed'75 #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'")77 (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'")
78 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.78 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
79 #79 #
Offset 115, 24 lines modifiedOffset 115, 61 lines modified
  
115 }115 }
  
116 package_remove·httpd116 package_remove·httpd
117 #·END·fix·for·'package_httpd_removed'117 #·END·fix·for·'package_httpd_removed'
  
118 ###############################################################################118 ###############################################################################
119 #·BEGIN·fix·(3·/·188)·for·'postfix_network_listening_disabled'119 #·BEGIN·fix·(3·/·188)·for·'package_bind_removed'
120 ###############################################################################120 ###############################################################################
121 (>&2·echo·"Remediating·rule·3/188:·'postfix_network_listening_disabled'")121 (>&2·echo·"Remediating·rule·3/188:·'package_bind_removed'")
122 #·FIX·FOR·THIS·RULE·IS·MISSING122 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
123 #·END·fix·for·'postfix_network_listening_disabled'123 #
 124 #·Example·Call(s):
 125 #
 126 #·····package_remove·telnet-server
 127 #
 128 function·package_remove·{
  
 129 #·Load·function·arguments·into·local·variables
 130 local·package="$1"
  
 131 #·Check·sanity·of·the·input
 132 if·[·$#·-ne·"1"·]
 133 then
 134 ··echo·"Usage:·package_remove·'package_name'"
 135 ··echo·"Aborting."
 136 ··exit·1
 137 fi
  
 138 if·which·dnf·;·then
 139 ··if·rpm·-q·--quiet·"$package";·then
 140 ····dnf·remove·-y·"$package"
 141 ··fi
 142 elif·which·yum·;·then
 143 ··if·rpm·-q·--quiet·"$package";·then
 144 ····yum·remove·-y·"$package"
 145 ··fi
 146 elif·which·apt-get·;·then
 147 ··apt-get·remove·-y·"$package"
 148 else
 149 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 150 ··echo·"Aborting."
 151 ··exit·1
 152 fi
  
 153 }
  
 154 package_remove·bind
 155 #·END·fix·for·'package_bind_removed'
  
124 ###############################################################################156 ###############################################################################
125 #·BEGIN·fix·(4·/·188)·for·'package_dhcp_removed'157 #·BEGIN·fix·(4·/·188)·for·'package_samba_removed'
126 ###############################################################################158 ###############################################################################
127 (>&2·echo·"Remediating·rule·4/188:·'package_dhcp_removed'")159 (>&2·echo·"Remediating·rule·4/188:·'package_samba_removed'")
128 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.160 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
129 #161 #
130 #·Example·Call(s):162 #·Example·Call(s):
131 #163 #
132 #·····package_remove·telnet-server164 #·····package_remove·telnet-server
133 #165 #
134 function·package_remove·{166 function·package_remove·{
Offset 162, 16 lines modifiedOffset 199, 16 lines modified
162 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"199 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
163 ··echo·"Aborting."200 ··echo·"Aborting."
164 ··exit·1201 ··exit·1
165 fi202 fi
  
166 }203 }
  
167 package_remove·dhcp204 package_remove·samba
168 #·END·fix·for·'package_dhcp_removed'205 #·END·fix·for·'package_samba_removed'
  
169 ###############################################################################206 ###############################################################################
170 #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled'207 #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled'
171 ###############################################################################208 ###############################################################################
172 (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'")209 (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'")
173 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.210 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
174 #211 #
Offset 262, 17 lines modifiedOffset 299, 105 lines modified
262 #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server'299 #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server'
263 ###############################################################################300 ###############################################################################
264 (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'")301 (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'")
265 #·FIX·FOR·THIS·RULE·IS·MISSING302 #·FIX·FOR·THIS·RULE·IS·MISSING
266 #·END·fix·for·'ntpd_specify_remote_server'303 #·END·fix·for·'ntpd_specify_remote_server'
  
267 ###############################################################################304 ###############################################################################
268 #·BEGIN·fix·(8·/·188)·for·'service_cups_disabled'305 #·BEGIN·fix·(8·/·188)·for·'package_openldap-servers_removed'
269 ###############################################################################306 ###############################################################################
270 (>&2·echo·"Remediating·rule·8/188:·'service_cups_disabled'")307 (>&2·echo·"Remediating·rule·8/188:·'package_openldap-servers_removed'")
 308 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 309 #
 310 #·Example·Call(s):
Max diff block lines reached; 329997/337019 bytes (97.92%) of diff not shown.
437 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-CS2.sh
    
Offset 18, 17 lines modifiedOffset 18, 31 lines modified
18 #18 #
19 #·How·to·apply·this·remediation·role:19 #·How·to·apply·this·remediation·role:
20 #·$·sudo·./remediation-role.sh20 #·$·sudo·./remediation-role.sh
21 #21 #
22 ###############################################################################22 ###############################################################################
  
23 ###############################################################################23 ###############################################################################
24 #·BEGIN·fix·(1·/·313)·for·'service_smb_disabled'24 #·BEGIN·fix·(1·/·313)·for·'ftp_log_transactions'
25 ###############################################################################25 ###############################################################################
26 (>&2·echo·"Remediating·rule·1/313:·'service_smb_disabled'")26 (>&2·echo·"Remediating·rule·1/313:·'ftp_log_transactions'")
 27 #·FIX·FOR·THIS·RULE·IS·MISSING
 28 #·END·fix·for·'ftp_log_transactions'
  
 29 ###############################################################################
 30 #·BEGIN·fix·(2·/·313)·for·'ftp_present_banner'
 31 ###############################################################################
 32 (>&2·echo·"Remediating·rule·2/313:·'ftp_present_banner'")
 33 #·FIX·FOR·THIS·RULE·IS·MISSING
 34 #·END·fix·for·'ftp_present_banner'
  
 35 ###############################################################################
 36 #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled'
 37 ###############################################################################
 38 (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'")
27 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.39 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
28 #40 #
29 #·Example·Call(s):41 #·Example·Call(s):
30 #42 #
31 #·····service_command·enable·bluetooth43 #·····service_command·enable·bluetooth
32 #·····service_command·disable·bluetooth.service44 #·····service_command·disable·bluetooth.service
33 #45 #
Offset 96, 49 lines modifiedOffset 110, 60 lines modified
96 ··else110 ··else
97 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd111 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
98 ··fi112 ··fi
99 fi113 fi
  
100 }114 }
  
101 service_command·disable·smb115 service_command·disable·vsftpd
102 #·END·fix·for·'service_smb_disabled'116 #·END·fix·for·'service_vsftpd_disabled'
  
103 ###############################################################################117 ###############################################################################
104 #·BEGIN·fix·(2·/·313)·for·'smb_server_disable_root'118 #·BEGIN·fix·(4·/·313)·for·'package_vsftpd_removed'
105 ###############################################################################119 ###############################################################################
106 (>&2·echo·"Remediating·rule·2/313:·'smb_server_disable_root'")120 (>&2·echo·"Remediating·rule·4/313:·'package_vsftpd_removed'")
107 #·FIX·FOR·THIS·RULE·IS·MISSING121 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
108 #·END·fix·for·'smb_server_disable_root'122 #
 123 #·Example·Call(s):
 124 #
 125 #·····package_remove·telnet-server
 126 #
 127 function·package_remove·{
  
109 ###############################################################################128 #·Load·function·arguments·into·local·variables
110 #·BEGIN·fix·(3·/·313)·for·'require_smb_client_signing'129 local·package="$1"
111 ############################################################################### 
112 (>&2·echo·"Remediating·rule·3/313:·'require_smb_client_signing'") 
113 ###################################################################### 
114 #By·Luke·"Brisk-OH"·Brisk 
115 #luke.brisk@boeing.com·or·luke.brisk@gmail.com 
116 ###################################################################### 
  
117 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)130 #·Check·sanity·of·the·input
 131 if·[·$#·-ne·"1"·]
 132 then
 133 ··echo·"Usage:·package_remove·'package_name'"
 134 ··echo·"Aborting."
 135 ··exit·1
 136 fi
  
118 if·[·"$CLIENTSIGNING"·-eq·0·];··then137 if·which·dnf·;·then
119 »       #·Add·to·global·section138 ··if·rpm·-q·--quiet·"$package";·then
120 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf139 ····dnf·remove·-y·"$package"
 140 ··fi
 141 elif·which·yum·;·then
 142 ··if·rpm·-q·--quiet·"$package";·then
 143 ····yum·remove·-y·"$package"
 144 ··fi
 145 elif·which·apt-get·;·then
 146 ··apt-get·remove·-y·"$package"
121 else147 else
122 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf148 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 149 ··echo·"Aborting."
 150 ··exit·1
123 fi151 fi
124 #·END·fix·for·'require_smb_client_signing' 
  
125 ###############################################################################152 }
126 #·BEGIN·fix·(4·/·313)·for·'mount_option_smb_client_signing' 
127 ###############################################################################153 package_remove·vsftpd
128 (>&2·echo·"Remediating·rule·4/313:·'mount_option_smb_client_signing'")154 #·END·fix·for·'package_vsftpd_removed'
129 #·FIX·FOR·THIS·RULE·IS·MISSING 
130 #·END·fix·for·'mount_option_smb_client_signing' 
  
131 ###############################################################################155 ###############################################################################
132 #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed'156 #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed'
133 ###############################################################################157 ###############################################################################
134 (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'")158 (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'")
135 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.159 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
136 #160 #
Offset 248, 94 lines modifiedOffset 273, 183 lines modified
248 #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support'273 #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support'
249 ###############################################################################274 ###############################################################################
250 (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'")275 (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'")
251 #·FIX·FOR·THIS·RULE·IS·MISSING276 #·FIX·FOR·THIS·RULE·IS·MISSING
252 #·END·fix·for·'httpd_ldap_support'277 #·END·fix·for·'httpd_ldap_support'
  
253 ###############################################################################278 ###############################################################################
254 #·BEGIN·fix·(16·/·313)·for·'httpd_mime_magic'279 #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support'
255 ###############################################################################280 ###############################################################################
256 (>&2·echo·"Remediating·rule·16/313:·'httpd_mime_magic'")281 (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'")
257 #·FIX·FOR·THIS·RULE·IS·MISSING282 #·FIX·FOR·THIS·RULE·IS·MISSING
258 #·END·fix·for·'httpd_mime_magic'283 #·END·fix·for·'httpd_cgi_support'
  
259 ###############################################################################284 ###############################################################################
260 #·BEGIN·fix·(17·/·313)·for·'httpd_digest_authentication'285 #·BEGIN·fix·(17·/·313)·for·'httpd_url_correction'
261 ###############################################################################286 ###############################################################################
262 (>&2·echo·"Remediating·rule·17/313:·'httpd_digest_authentication'")287 (>&2·echo·"Remediating·rule·17/313:·'httpd_url_correction'")
263 #·FIX·FOR·THIS·RULE·IS·MISSING288 #·FIX·FOR·THIS·RULE·IS·MISSING
264 #·END·fix·for·'httpd_digest_authentication'289 #·END·fix·for·'httpd_url_correction'
  
265 ###############################################################################290 ###############################################################################
266 #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status'291 #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status'
267 ###############################################################################292 ###############################################################################
268 (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'")293 (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'")
269 #·FIX·FOR·THIS·RULE·IS·MISSING294 #·FIX·FOR·THIS·RULE·IS·MISSING
Max diff block lines reached; 441404/447704 bytes (98.59%) of diff not shown.
292 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-CSCF-RHEL6-MLS.sh
    
Offset 23, 46 lines modifiedOffset 23, 99 lines modified
23 #23 #
24 #·How·to·apply·this·remediation·role:24 #·How·to·apply·this·remediation·role:
25 #·$·sudo·./remediation-role.sh25 #·$·sudo·./remediation-role.sh
26 #26 #
27 ###############################################################################27 ###############################################################################
  
28 ###############################################################################28 ###############################################################################
29 #·BEGIN·fix·(1·/·215)·for·'httpd_servertokens_prod'29 #·BEGIN·fix·(1·/·215)·for·'service_vsftpd_disabled'
30 ###############################################################################30 ###############################################################################
31 (>&2·echo·"Remediating·rule·1/215:·'httpd_servertokens_prod'")31 (>&2·echo·"Remediating·rule·1/215:·'service_vsftpd_disabled'")
32 #·FIX·FOR·THIS·RULE·IS·MISSING32 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
33 #·END·fix·for·'httpd_servertokens_prod'33 #
 34 #·Example·Call(s):
 35 #
 36 #·····service_command·enable·bluetooth
 37 #·····service_command·disable·bluetooth.service
 38 #
 39 #·····Using·xinetd:
 40 #·····service_command·disable·rsh.socket·xinetd=rsh
 41 #
 42 function·service_command·{
  
34 ###############################################################################43 #·Load·function·arguments·into·local·variables
35 #·BEGIN·fix·(2·/·215)·for·'file_permissions_httpd_server_conf_files'44 local·service_state=$1
36 ###############################################################################45 local·service=$2
37 (>&2·echo·"Remediating·rule·2/215:·'file_permissions_httpd_server_conf_files'")46 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
38 chmod·0640·/etc/httpd/conf/*47 #·Check·sanity·of·the·input
39 #·END·fix·for·'file_permissions_httpd_server_conf_files'48 if·[·$#·-lt·"2"·]
 49 then
 50 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 51 ··echo
 52 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 53 ··echo·"as·the·last·argument"··
 54 ··echo·"Aborting."
 55 ··exit·1
 56 fi
  
40 ###############################################################################57 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
41 #·BEGIN·fix·(3·/·215)·for·'dir_perms_var_log_httpd'58 if·[·-f·"/usr/bin/systemctl"·]·;·then
42 ###############################################################################59 ··service_util="/usr/bin/systemctl"
43 (>&2·echo·"Remediating·rule·3/215:·'dir_perms_var_log_httpd'")60 else
44 #·FIX·FOR·THIS·RULE·IS·MISSING61 ··service_util="/sbin/service"
45 #·END·fix·for·'dir_perms_var_log_httpd'62 ··chkconfig_util="/sbin/chkconfig"
 63 fi
  
46 ###############################################################################64 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
47 #·BEGIN·fix·(4·/·215)·for·'postfix_network_listening_disabled'65 #·Otherwise,·variables·are·to·be·set·to·disable·services.
48 ###############################################################################66 if·[·"$service_state"·!=·'disable'·]·;·then
49 (>&2·echo·"Remediating·rule·4/215:·'postfix_network_listening_disabled'")67 ··service_state="enable"
50 #·FIX·FOR·THIS·RULE·IS·MISSING68 ··service_operation="start"
51 #·END·fix·for·'postfix_network_listening_disabled'69 ··chkconfig_state="on"
 70 else
 71 ··service_state="disable"
 72 ··service_operation="stop"
 73 ··chkconfig_state="off"
 74 fi
  
 75 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 76 if·[·"x$chkconfig_util"·!=·x·]·;·then
 77 ··$service_util·$service·$service_operation
 78 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 79 else
 80 ··$service_util·$service_operation·$service
 81 ··$service_util·$service_state·$service
 82 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 83 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 84 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 85 ··$service_util·reset-failed·$service
 86 fi
  
 87 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 88 #·If·empty,·then·xinetd·is·not·being·used.
 89 if·[·"x$xinetd"·!=·x·]·;·then
 90 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 91 ··if·[·"$service_operation"·=·'disable'·]·;·then
 92 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 93 ··else
 94 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 95 ··fi
 96 fi
  
 97 }
  
 98 service_command·disable·vsftpd
 99 #·END·fix·for·'service_vsftpd_disabled'
  
52 ###############################################################################100 ###############################################################################
53 #·BEGIN·fix·(5·/·215)·for·'package_sendmail_removed'101 #·BEGIN·fix·(2·/·215)·for·'package_vsftpd_removed'
54 ###############################################################################102 ###############################################################################
55 (>&2·echo·"Remediating·rule·5/215:·'package_sendmail_removed'")103 (>&2·echo·"Remediating·rule·2/215:·'package_vsftpd_removed'")
56 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.104 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
57 #105 #
58 #·Example·Call(s):106 #·Example·Call(s):
59 #107 #
60 #·····package_remove·telnet-server108 #·····package_remove·telnet-server
61 #109 #
62 function·package_remove·{110 function·package_remove·{
Offset 92, 49 lines modifiedOffset 145, 132 lines modified
92 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"145 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
93 ··echo·"Aborting."146 ··echo·"Aborting."
94 ··exit·1147 ··exit·1
95 fi148 fi
  
96 }149 }
  
97 package_remove·sendmail150 package_remove·vsftpd
98 #·END·fix·for·'package_sendmail_removed'151 #·END·fix·for·'package_vsftpd_removed'
  
99 ###############################################################################152 ###############################################################################
100 #·BEGIN·fix·(6·/·215)·for·'sysconfig_networking_bootproto_ifcfg'153 #·BEGIN·fix·(3·/·215)·for·'httpd_servertokens_prod'
101 ###############################################################################154 ###############################################################################
102 (>&2·echo·"Remediating·rule·6/215:·'sysconfig_networking_bootproto_ifcfg'")155 (>&2·echo·"Remediating·rule·3/215:·'httpd_servertokens_prod'")
103 #·FIX·FOR·THIS·RULE·IS·MISSING156 #·FIX·FOR·THIS·RULE·IS·MISSING
104 #·END·fix·for·'sysconfig_networking_bootproto_ifcfg'157 #·END·fix·for·'httpd_servertokens_prod'
  
105 ###############################################################################158 ###############################################################################
106 #·BEGIN·fix·(7·/·215)·for·'dhcp_server_deny_decline'159 #·BEGIN·fix·(4·/·215)·for·'file_permissions_httpd_server_conf_files'
107 ###############################################################################160 ###############################################################################
108 (>&2·echo·"Remediating·rule·7/215:·'dhcp_server_deny_decline'")161 (>&2·echo·"Remediating·rule·4/215:·'file_permissions_httpd_server_conf_files'")
109 #·FIX·FOR·THIS·RULE·IS·MISSING 
110 #·END·fix·for·'dhcp_server_deny_decline'162 chmod·0640·/etc/httpd/conf/*
 163 #·END·fix·for·'file_permissions_httpd_server_conf_files'
  
111 ###############################################################################164 ###############################################################################
112 #·BEGIN·fix·(8·/·215)·for·'dhcp_server_disable_ddns'165 #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd'
Max diff block lines reached; 292875/299278 bytes (97.86%) of diff not shown.
321 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-desktop.sh
    
Offset 19, 17 lines modifiedOffset 19, 17 lines modified
19 #19 #
20 #·How·to·apply·this·remediation·role:20 #·How·to·apply·this·remediation·role:
21 #·$·sudo·./remediation-role.sh21 #·$·sudo·./remediation-role.sh
22 #22 #
23 ###############################################################################23 ###############################################################################
  
24 ###############################################################################24 ###############################################################################
25 #·BEGIN·fix·(1·/·206)·for·'service_smb_disabled'25 #·BEGIN·fix·(1·/·206)·for·'service_vsftpd_disabled'
26 ###############################################################################26 ###############################################################################
27 (>&2·echo·"Remediating·rule·1/206:·'service_smb_disabled'")27 (>&2·echo·"Remediating·rule·1/206:·'service_vsftpd_disabled'")
28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
29 #29 #
30 #·Example·Call(s):30 #·Example·Call(s):
31 #31 #
32 #·····service_command·enable·bluetooth32 #·····service_command·enable·bluetooth
33 #·····service_command·disable·bluetooth.service33 #·····service_command·disable·bluetooth.service
34 #34 #
Offset 97, 47 lines modifiedOffset 97, 65 lines modified
97 ··else97 ··else
98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
99 ··fi99 ··fi
100 fi100 fi
  
101 }101 }
  
102 service_command·disable·smb102 service_command·disable·vsftpd
103 #·END·fix·for·'service_smb_disabled'103 #·END·fix·for·'service_vsftpd_disabled'
  
104 ###############################################################################104 ###############################################################################
105 #·BEGIN·fix·(2·/·206)·for·'require_smb_client_signing'105 #·BEGIN·fix·(2·/·206)·for·'package_vsftpd_removed'
106 ###############################################################################106 ###############################################################################
107 (>&2·echo·"Remediating·rule·2/206:·'require_smb_client_signing'")107 (>&2·echo·"Remediating·rule·2/206:·'package_vsftpd_removed'")
108 ######################################################################108 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
109 #By·Luke·"Brisk-OH"·Brisk109 #
110 #luke.brisk@boeing.com·or·luke.brisk@gmail.com110 #·Example·Call(s):
111 ######################################################################111 #
 112 #·····package_remove·telnet-server
 113 #
 114 function·package_remove·{
  
112 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)115 #·Load·function·arguments·into·local·variables
 116 local·package="$1"
  
113 if·[·"$CLIENTSIGNING"·-eq·0·];··then117 #·Check·sanity·of·the·input
114 »       #·Add·to·global·section118 if·[·$#·-ne·"1"·]
115 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf119 then
 120 ··echo·"Usage:·package_remove·'package_name'"
 121 ··echo·"Aborting."
 122 ··exit·1
 123 fi
  
 124 if·which·dnf·;·then
 125 ··if·rpm·-q·--quiet·"$package";·then
 126 ····dnf·remove·-y·"$package"
 127 ··fi
 128 elif·which·yum·;·then
 129 ··if·rpm·-q·--quiet·"$package";·then
 130 ····yum·remove·-y·"$package"
 131 ··fi
 132 elif·which·apt-get·;·then
 133 ··apt-get·remove·-y·"$package"
116 else134 else
117 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf135 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 136 ··echo·"Aborting."
 137 ··exit·1
118 fi138 fi
119 #·END·fix·for·'require_smb_client_signing' 
  
120 ###############################################################################139 }
121 #·BEGIN·fix·(3·/·206)·for·'mount_option_smb_client_signing' 
122 ###############################################################################140 package_remove·vsftpd
123 (>&2·echo·"Remediating·rule·3/206:·'mount_option_smb_client_signing'")141 #·END·fix·for·'package_vsftpd_removed'
124 #·FIX·FOR·THIS·RULE·IS·MISSING 
125 #·END·fix·for·'mount_option_smb_client_signing' 
  
126 ###############################################################################142 ###############################################################################
127 #·BEGIN·fix·(4·/·206)·for·'service_httpd_disabled'143 #·BEGIN·fix·(3·/·206)·for·'service_httpd_disabled'
128 ###############################################################################144 ###############################################################################
129 (>&2·echo·"Remediating·rule·4/206:·'service_httpd_disabled'")145 (>&2·echo·"Remediating·rule·3/206:·'service_httpd_disabled'")
130 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.146 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
131 #147 #
132 #·Example·Call(s):148 #·Example·Call(s):
133 #149 #
134 #·····service_command·enable·bluetooth150 #·····service_command·enable·bluetooth
135 #·····service_command·disable·bluetooth.service151 #·····service_command·disable·bluetooth.service
136 #152 #
Offset 209, 17 lines modifiedOffset 227, 17 lines modified
  
209 }227 }
  
210 service_command·disable·httpd228 service_command·disable·httpd
211 #·END·fix·for·'service_httpd_disabled'229 #·END·fix·for·'service_httpd_disabled'
  
212 ###############################################################################230 ###############################################################################
213 #·BEGIN·fix·(5·/·206)·for·'package_httpd_removed'231 #·BEGIN·fix·(4·/·206)·for·'package_httpd_removed'
214 ###############################################################################232 ###############################################################################
215 (>&2·echo·"Remediating·rule·5/206:·'package_httpd_removed'")233 (>&2·echo·"Remediating·rule·4/206:·'package_httpd_removed'")
216 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.234 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
217 #235 #
218 #·Example·Call(s):236 #·Example·Call(s):
219 #237 #
220 #·····package_remove·telnet-server238 #·····package_remove·telnet-server
221 #239 #
222 function·package_remove·{240 function·package_remove·{
Offset 253, 24 lines modifiedOffset 271, 99 lines modified
  
253 }271 }
  
254 package_remove·httpd272 package_remove·httpd
255 #·END·fix·for·'package_httpd_removed'273 #·END·fix·for·'package_httpd_removed'
  
256 ###############################################################################274 ###############################################################################
257 #·BEGIN·fix·(6·/·206)·for·'postfix_network_listening_disabled'275 #·BEGIN·fix·(5·/·206)·for·'service_named_disabled'
258 ###############################################################################276 ###############################################################################
259 (>&2·echo·"Remediating·rule·6/206:·'postfix_network_listening_disabled'")277 (>&2·echo·"Remediating·rule·5/206:·'service_named_disabled'")
260 #·FIX·FOR·THIS·RULE·IS·MISSING278 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
261 #·END·fix·for·'postfix_network_listening_disabled'279 #
 280 #·Example·Call(s):
 281 #
 282 #·····service_command·enable·bluetooth
 283 #·····service_command·disable·bluetooth.service
 284 #
 285 #·····Using·xinetd:
 286 #·····service_command·disable·rsh.socket·xinetd=rsh
 287 #
 288 function·service_command·{
  
Max diff block lines reached; 321323/328772 bytes (97.73%) of diff not shown.
325 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-fisma-medium-rhel6-server.sh
    
Offset 114, 17 lines modifiedOffset 114, 181 lines modified
114 #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server'114 #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server'
115 ###############################################################################115 ###############################################################################
116 (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'")116 (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'")
117 #·FIX·FOR·THIS·RULE·IS·MISSING117 #·FIX·FOR·THIS·RULE·IS·MISSING
118 #·END·fix·for·'ntpd_specify_remote_server'118 #·END·fix·for·'ntpd_specify_remote_server'
  
119 ###############################################################################119 ###############################################################################
120 #·BEGIN·fix·(4·/·211)·for·'package_rsh_removed'120 #·BEGIN·fix·(4·/·211)·for·'service_crond_enabled'
121 ###############################################################################121 ###############################################################################
122 (>&2·echo·"Remediating·rule·4/211:·'package_rsh_removed'")122 (>&2·echo·"Remediating·rule·4/211:·'service_crond_enabled'")
 123 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 124 #
 125 #·Example·Call(s):
 126 #
 127 #·····service_command·enable·bluetooth
 128 #·····service_command·disable·bluetooth.service
 129 #
 130 #·····Using·xinetd:
 131 #·····service_command·disable·rsh.socket·xinetd=rsh
 132 #
 133 function·service_command·{
  
 134 #·Load·function·arguments·into·local·variables
 135 local·service_state=$1
 136 local·service=$2
 137 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 138 #·Check·sanity·of·the·input
 139 if·[·$#·-lt·"2"·]
 140 then
 141 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 142 ··echo
 143 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 144 ··echo·"as·the·last·argument"··
 145 ··echo·"Aborting."
 146 ··exit·1
 147 fi
  
 148 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 149 if·[·-f·"/usr/bin/systemctl"·]·;·then
 150 ··service_util="/usr/bin/systemctl"
 151 else
 152 ··service_util="/sbin/service"
 153 ··chkconfig_util="/sbin/chkconfig"
 154 fi
  
 155 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 156 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 157 if·[·"$service_state"·!=·'disable'·]·;·then
 158 ··service_state="enable"
 159 ··service_operation="start"
 160 ··chkconfig_state="on"
 161 else
 162 ··service_state="disable"
 163 ··service_operation="stop"
 164 ··chkconfig_state="off"
 165 fi
  
 166 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 167 if·[·"x$chkconfig_util"·!=·x·]·;·then
 168 ··$service_util·$service·$service_operation
 169 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 170 else
 171 ··$service_util·$service_operation·$service
 172 ··$service_util·$service_state·$service
 173 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 174 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 175 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 176 ··$service_util·reset-failed·$service
 177 fi
  
 178 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 179 #·If·empty,·then·xinetd·is·not·being·used.
 180 if·[·"x$xinetd"·!=·x·]·;·then
 181 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 182 ··if·[·"$service_operation"·=·'disable'·]·;·then
 183 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 184 ··else
 185 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 186 ··fi
 187 fi
  
 188 }
  
 189 service_command·enable·crond
 190 #·END·fix·for·'service_crond_enabled'
  
 191 ###############################################################################
 192 #·BEGIN·fix·(5·/·211)·for·'service_atd_disabled'
 193 ###############################################################################
 194 (>&2·echo·"Remediating·rule·5/211:·'service_atd_disabled'")
 195 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 196 #
 197 #·Example·Call(s):
 198 #
 199 #·····service_command·enable·bluetooth
 200 #·····service_command·disable·bluetooth.service
 201 #
 202 #·····Using·xinetd:
 203 #·····service_command·disable·rsh.socket·xinetd=rsh
 204 #
 205 function·service_command·{
  
 206 #·Load·function·arguments·into·local·variables
 207 local·service_state=$1
 208 local·service=$2
 209 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 210 #·Check·sanity·of·the·input
 211 if·[·$#·-lt·"2"·]
 212 then
 213 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 214 ··echo
 215 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 216 ··echo·"as·the·last·argument"··
 217 ··echo·"Aborting."
 218 ··exit·1
 219 fi
  
 220 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 221 if·[·-f·"/usr/bin/systemctl"·]·;·then
 222 ··service_util="/usr/bin/systemctl"
 223 else
 224 ··service_util="/sbin/service"
 225 ··chkconfig_util="/sbin/chkconfig"
 226 fi
Max diff block lines reached; 326691/332694 bytes (98.20%) of diff not shown.
286 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-ftp-server.sh
    
Offset 18, 17 lines modifiedOffset 18, 96 lines modified
18 #18 #
19 #·How·to·apply·this·remediation·role:19 #·How·to·apply·this·remediation·role:
20 #·$·sudo·./remediation-role.sh20 #·$·sudo·./remediation-role.sh
21 #21 #
22 ###############################################################################22 ###############################################################################
  
23 ###############################################################################23 ###############################################################################
24 #·BEGIN·fix·(1·/·192)·for·'require_smb_client_signing'24 #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon'
25 ###############################################################################25 ###############################################################################
26 (>&2·echo·"Remediating·rule·1/192:·'require_smb_client_signing'")26 (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'")
 27 #·FIX·FOR·THIS·RULE·IS·MISSING
 28 #·END·fix·for·'ftp_restrict_to_anon'
  
 29 ###############################################################################
 30 #·BEGIN·fix·(2·/·192)·for·'ftp_home_partition'
 31 ###############################################################################
 32 (>&2·echo·"Remediating·rule·2/192:·'ftp_home_partition'")
 33 #·FIX·FOR·THIS·RULE·IS·MISSING
 34 #·END·fix·for·'ftp_home_partition'
  
 35 ###############################################################################
 36 #·BEGIN·fix·(3·/·192)·for·'ftp_log_transactions'
 37 ###############################################################################
 38 (>&2·echo·"Remediating·rule·3/192:·'ftp_log_transactions'")
 39 #·FIX·FOR·THIS·RULE·IS·MISSING
 40 #·END·fix·for·'ftp_log_transactions'
  
 41 ###############################################################################
 42 #·BEGIN·fix·(4·/·192)·for·'ftp_disable_uploads'
 43 ###############################################################################
 44 (>&2·echo·"Remediating·rule·4/192:·'ftp_disable_uploads'")
 45 #·FIX·FOR·THIS·RULE·IS·MISSING
 46 #·END·fix·for·'ftp_disable_uploads'
  
 47 ###############################################################################
 48 #·BEGIN·fix·(5·/·192)·for·'ftp_present_banner'
 49 ###############################################################################
 50 (>&2·echo·"Remediating·rule·5/192:·'ftp_present_banner'")
 51 #·FIX·FOR·THIS·RULE·IS·MISSING
 52 #·END·fix·for·'ftp_present_banner'
  
 53 ###############################################################################
 54 #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed'
 55 ###############################################################################
 56 (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'")
 57 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 58 #
 59 #·Example·Call(s):
 60 #
 61 #·····package_install·aide
 62 #
 63 function·package_install·{
  
 64 #·Load·function·arguments·into·local·variables
 65 local·package="$1"
  
 66 #·Check·sanity·of·the·input
 67 if·[·$#·-ne·"1"·]
 68 then
 69 ··echo·"Usage:·package_install·'package_name'"
 70 ··echo·"Aborting."
 71 ··exit·1
 72 fi
  
 73 if·which·dnf·;·then
 74 ··if·!·rpm·-q·--quiet·"$package";·then
 75 ····dnf·install·-y·"$package"
 76 ··fi
 77 elif·which·yum·;·then
 78 ··if·!·rpm·-q·--quiet·"$package";·then
 79 ····yum·install·-y·"$package"
 80 ··fi
 81 elif·which·apt-get·;·then
 82 ··apt-get·install·-y·"$package"
 83 else
 84 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 85 ··echo·"Aborting."
 86 ··exit·1
 87 fi
  
 88 }
  
 89 package_install·vsftpd
 90 #·END·fix·for·'package_vsftpd_installed'
  
 91 ###############################################################################
 92 #·BEGIN·fix·(7·/·192)·for·'require_smb_client_signing'
 93 ###############################################################################
 94 (>&2·echo·"Remediating·rule·7/192:·'require_smb_client_signing'")
27 ######################################################################95 ######################################################################
28 #By·Luke·"Brisk-OH"·Brisk96 #By·Luke·"Brisk-OH"·Brisk
29 #luke.brisk@boeing.com·or·luke.brisk@gmail.com97 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
30 ######################################################################98 ######################################################################
  
31 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)99 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
Offset 37, 38 lines modifiedOffset 116, 24 lines modified
37 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf116 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
38 else117 else
39 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf118 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
40 fi119 fi
41 #·END·fix·for·'require_smb_client_signing'120 #·END·fix·for·'require_smb_client_signing'
  
42 ###############################################################################121 ###############################################################################
43 #·BEGIN·fix·(2·/·192)·for·'mount_option_smb_client_signing'122 #·BEGIN·fix·(8·/·192)·for·'mount_option_smb_client_signing'
44 ###############################################################################123 ###############################################################################
45 (>&2·echo·"Remediating·rule·2/192:·'mount_option_smb_client_signing'")124 (>&2·echo·"Remediating·rule·8/192:·'mount_option_smb_client_signing'")
46 #·FIX·FOR·THIS·RULE·IS·MISSING125 #·FIX·FOR·THIS·RULE·IS·MISSING
47 #·END·fix·for·'mount_option_smb_client_signing'126 #·END·fix·for·'mount_option_smb_client_signing'
  
48 ###############################################################################127 ###############################################################################
49 #·BEGIN·fix·(3·/·192)·for·'postfix_network_listening_disabled'128 #·BEGIN·fix·(9·/·192)·for·'service_ntpd_enabled'
50 ############################################################################### 
51 (>&2·echo·"Remediating·rule·3/192:·'postfix_network_listening_disabled'") 
52 #·FIX·FOR·THIS·RULE·IS·MISSING 
53 #·END·fix·for·'postfix_network_listening_disabled' 
  
54 ############################################################################### 
55 #·BEGIN·fix·(4·/·192)·for·'sysconfig_networking_bootproto_ifcfg' 
56 ############################################################################### 
57 (>&2·echo·"Remediating·rule·4/192:·'sysconfig_networking_bootproto_ifcfg'") 
58 #·FIX·FOR·THIS·RULE·IS·MISSING 
59 #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' 
  
60 ############################################################################### 
61 #·BEGIN·fix·(5·/·192)·for·'service_ntpd_enabled' 
62 ###############################################################################129 ###############################################################################
Max diff block lines reached; 286922/292683 bytes (98.03%) of diff not shown.
411 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-nist-CL-IL-AL.sh
    
Offset 22, 43 lines modifiedOffset 22, 61 lines modified
22 #22 #
23 #·How·to·apply·this·remediation·role:23 #·How·to·apply·this·remediation·role:
24 #·$·sudo·./remediation-role.sh24 #·$·sudo·./remediation-role.sh
25 #25 #
26 ###############################################################################26 ###############################################################################
  
27 ###############################################################################27 ###############################################################################
28 #·BEGIN·fix·(1·/·270)·for·'require_smb_client_signing'28 #·BEGIN·fix·(1·/·270)·for·'package_vsftpd_removed'
29 ###############################################################################29 ###############################################################################
30 (>&2·echo·"Remediating·rule·1/270:·'require_smb_client_signing'")30 (>&2·echo·"Remediating·rule·1/270:·'package_vsftpd_removed'")
31 ######################################################################31 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
32 #By·Luke·"Brisk-OH"·Brisk32 #
33 #luke.brisk@boeing.com·or·luke.brisk@gmail.com33 #·Example·Call(s):
34 ######################################################################34 #
 35 #·····package_remove·telnet-server
 36 #
 37 function·package_remove·{
  
35 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)38 #·Load·function·arguments·into·local·variables
 39 local·package="$1"
  
36 if·[·"$CLIENTSIGNING"·-eq·0·];··then40 #·Check·sanity·of·the·input
37 »       #·Add·to·global·section41 if·[·$#·-ne·"1"·]
38 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf42 then
 43 ··echo·"Usage:·package_remove·'package_name'"
 44 ··echo·"Aborting."
 45 ··exit·1
 46 fi
  
 47 if·which·dnf·;·then
 48 ··if·rpm·-q·--quiet·"$package";·then
 49 ····dnf·remove·-y·"$package"
 50 ··fi
 51 elif·which·yum·;·then
 52 ··if·rpm·-q·--quiet·"$package";·then
 53 ····yum·remove·-y·"$package"
 54 ··fi
 55 elif·which·apt-get·;·then
 56 ··apt-get·remove·-y·"$package"
39 else57 else
40 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf58 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 59 ··echo·"Aborting."
 60 ··exit·1
41 fi61 fi
42 #·END·fix·for·'require_smb_client_signing' 
  
43 ###############################################################################62 }
44 #·BEGIN·fix·(2·/·270)·for·'mount_option_smb_client_signing' 
45 ###############################################################################63 package_remove·vsftpd
46 (>&2·echo·"Remediating·rule·2/270:·'mount_option_smb_client_signing'")64 #·END·fix·for·'package_vsftpd_removed'
47 #·FIX·FOR·THIS·RULE·IS·MISSING 
48 #·END·fix·for·'mount_option_smb_client_signing' 
  
49 ###############################################################################65 ###############################################################################
50 #·BEGIN·fix·(3·/·270)·for·'service_httpd_disabled'66 #·BEGIN·fix·(2·/·270)·for·'service_httpd_disabled'
51 ###############################################################################67 ###############################################################################
52 (>&2·echo·"Remediating·rule·3/270:·'service_httpd_disabled'")68 (>&2·echo·"Remediating·rule·2/270:·'service_httpd_disabled'")
53 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.69 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
54 #70 #
55 #·Example·Call(s):71 #·Example·Call(s):
56 #72 #
57 #·····service_command·enable·bluetooth73 #·····service_command·enable·bluetooth
58 #·····service_command·disable·bluetooth.service74 #·····service_command·disable·bluetooth.service
59 #75 #
Offset 130, 17 lines modifiedOffset 148, 17 lines modified
  
130 }148 }
  
131 service_command·disable·httpd149 service_command·disable·httpd
132 #·END·fix·for·'service_httpd_disabled'150 #·END·fix·for·'service_httpd_disabled'
  
133 ###############################################################################151 ###############################################################################
134 #·BEGIN·fix·(4·/·270)·for·'package_httpd_removed'152 #·BEGIN·fix·(3·/·270)·for·'package_httpd_removed'
135 ###############################################################################153 ###############################################################################
136 (>&2·echo·"Remediating·rule·4/270:·'package_httpd_removed'")154 (>&2·echo·"Remediating·rule·3/270:·'package_httpd_removed'")
137 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.155 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
138 #156 #
139 #·Example·Call(s):157 #·Example·Call(s):
140 #158 #
141 #·····package_remove·telnet-server159 #·····package_remove·telnet-server
142 #160 #
143 function·package_remove·{161 function·package_remove·{
Offset 174, 75 lines modifiedOffset 192, 99 lines modified
  
174 }192 }
  
175 package_remove·httpd193 package_remove·httpd
176 #·END·fix·for·'package_httpd_removed'194 #·END·fix·for·'package_httpd_removed'
  
177 ###############################################################################195 ###############################################################################
178 #·BEGIN·fix·(5·/·270)·for·'postfix_network_listening_disabled'196 #·BEGIN·fix·(4·/·270)·for·'service_named_disabled'
179 ###############################################################################197 ###############################################################################
180 (>&2·echo·"Remediating·rule·5/270:·'postfix_network_listening_disabled'")198 (>&2·echo·"Remediating·rule·4/270:·'service_named_disabled'")
181 #·FIX·FOR·THIS·RULE·IS·MISSING199 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
182 #·END·fix·for·'postfix_network_listening_disabled' 
  
183 ############################################################################### 
184 #·BEGIN·fix·(6·/·270)·for·'package_sendmail_removed' 
185 ############################################################################### 
186 (>&2·echo·"Remediating·rule·6/270:·'package_sendmail_removed'") 
187 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
188 #200 #
189 #·Example·Call(s):201 #·Example·Call(s):
190 #202 #
191 #·····package_remove·telnet-server203 #·····service_command·enable·bluetooth
 204 #·····service_command·disable·bluetooth.service
192 #205 #
193 function·package_remove·{206 #·····Using·xinetd:
 207 #·····service_command·disable·rsh.socket·xinetd=rsh
 208 #
 209 function·service_command·{
  
194 #·Load·function·arguments·into·local·variables210 #·Load·function·arguments·into·local·variables
195 local·package="$1"211 local·service_state=$1
 212 local·service=$2
 213 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
196 #·Check·sanity·of·the·input214 #·Check·sanity·of·the·input
197 if·[·$#·-ne·"1"·]215 if·[·$#·-lt·"2"·]
198 then216 then
199 ··echo·"Usage:·package_remove·'package_name'"217 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 218 ··echo
 219 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 220 ··echo·"as·the·last·argument"··
200 ··echo·"Aborting."221 ··echo·"Aborting."
201 ··exit·1222 ··exit·1
202 fi223 fi
Max diff block lines reached; 415516/421004 bytes (98.70%) of diff not shown.
188 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-pci-dss.sh
    
Offset 128, 424 lines modifiedOffset 128, 17 lines modified
128 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config128 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config
129 if·!·[·$?·-eq·0·];·then129 if·!·[·$?·-eq·0·];·then
130 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config130 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config
131 fi131 fi
132 #·END·fix·for·'sshd_set_idle_timeout'132 #·END·fix·for·'sshd_set_idle_timeout'
  
133 ###############################################################################133 ###############################################################################
134 #·BEGIN·fix·(5·/·94)·for·'rpm_verify_permissions'134 #·BEGIN·fix·(5·/·94)·for·'rsyslog_files_permissions'
135 ###############################################################################135 ###############################################################################
136 (>&2·echo·"Remediating·rule·5/94:·'rpm_verify_permissions'")136 (>&2·echo·"Remediating·rule·5/94:·'rsyslog_files_permissions'")
  
137 #·Declare·array·to·hold·list·of·RPM·packages·we·need·to·correct·permissions·for 
138 declare·-a·SETPERMS_RPM_LIST 
  
139 #·Create·a·list·of·files·on·the·system·having·permissions·different·from·what 
140 #·is·expected·by·the·RPM·database 
141 FILES_WITH_INCORRECT_PERMS=($(rpm·-Va·--nofiledigest·|·grep·'^.M'·|·cut·-d·'·'·-f4-)) 
  
142 #·For·each·file·path·from·that·list: 
143 #·*·Determine·the·RPM·package·the·file·path·is·shipped·by, 
144 #·*·Include·it·into·SETPERMS_RPM_LIST·array 
  
145 for·FILE_PATH·in·"${FILES_WITH_INCORRECT_PERMS[@]}" 
146 do 
147 »       RPM_PACKAGE=$(rpm·-qf·"$FILE_PATH") 
148 »       SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}"·"$RPM_PACKAGE") 
149 done 
  
150 #·Remove·duplicate·mention·of·same·RPM·in·$SETPERMS_RPM_LIST·(if·any) 
151 SETPERMS_RPM_LIST=(·$(echo·"${SETPERMS_RPM_LIST[@]}"·|·tr·'·'·'\n'·|·sort·-u·|·tr·'\n'·'·')·) 
  
152 #·For·each·of·the·RPM·packages·left·in·the·list·--·reset·its·permissions·to·the 
153 #·correct·values 
154 for·RPM_PACKAGE·in·"${SETPERMS_RPM_LIST[@]}" 
155 do 
156 »       rpm·--setperms·"${RPM_PACKAGE}" 
157 done 
158 #·END·fix·for·'rpm_verify_permissions' 
  
159 ############################################################################### 
160 #·BEGIN·fix·(6·/·94)·for·'rpm_verify_hashes' 
161 ############################################################################### 
162 (>&2·echo·"Remediating·rule·6/94:·'rpm_verify_hashes'") 
163 #·FIX·FOR·THIS·RULE·IS·MISSING 
164 #·END·fix·for·'rpm_verify_hashes' 
  
165 ############################################################################### 
166 #·BEGIN·fix·(7·/·94)·for·'install_hids' 
167 ############################################################################### 
168 (>&2·echo·"Remediating·rule·7/94:·'install_hids'") 
169 #·FIX·FOR·THIS·RULE·IS·MISSING 
170 #·END·fix·for·'install_hids' 
  
171 ############################################################################### 
172 #·BEGIN·fix·(8·/·94)·for·'package_aide_installed' 
173 ############################################################################### 
174 (>&2·echo·"Remediating·rule·8/94:·'package_aide_installed'") 
175 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
176 # 
177 #·Example·Call(s): 
178 # 
179 #·····package_install·aide 
180 # 
181 function·package_install·{ 
  
182 #·Load·function·arguments·into·local·variables 
183 local·package="$1" 
  
184 #·Check·sanity·of·the·input 
185 if·[·$#·-ne·"1"·] 
186 then 
187 ··echo·"Usage:·package_install·'package_name'" 
188 ··echo·"Aborting." 
189 ··exit·1 
190 fi 
  
191 if·which·dnf·;·then 
192 ··if·!·rpm·-q·--quiet·"$package";·then 
193 ····dnf·install·-y·"$package" 
194 ··fi 
195 elif·which·yum·;·then 
196 ··if·!·rpm·-q·--quiet·"$package";·then 
197 ····yum·install·-y·"$package" 
198 ··fi 
199 elif·which·apt-get·;·then 
200 ··apt-get·install·-y·"$package" 
201 else 
202 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
203 ··echo·"Aborting." 
204 ··exit·1 
205 fi 
  
206 } 
  
207 package_install·aide 
208 #·END·fix·for·'package_aide_installed' 
  
209 ############################################################################### 
210 #·BEGIN·fix·(9·/·94)·for·'aide_periodic_cron_checking' 
211 ############################################################################### 
212 (>&2·echo·"Remediating·rule·9/94:·'aide_periodic_cron_checking'") 
213 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
214 # 
215 #·Example·Call(s): 
216 # 
217 #·····package_install·aide 
218 # 
219 function·package_install·{ 
  
220 #·Load·function·arguments·into·local·variables 
221 local·package="$1" 
  
222 #·Check·sanity·of·the·input 
223 if·[·$#·-ne·"1"·] 
224 then 
225 ··echo·"Usage:·package_install·'package_name'" 
226 ··echo·"Aborting." 
227 ··exit·1 
228 fi 
  
229 if·which·dnf·;·then 
230 ··if·!·rpm·-q·--quiet·"$package";·then 
231 ····dnf·install·-y·"$package" 
232 ··fi 
233 elif·which·yum·;·then 
234 ··if·!·rpm·-q·--quiet·"$package";·then 
235 ····yum·install·-y·"$package" 
Max diff block lines reached; 176223/192119 bytes (91.73%) of diff not shown.
82.8 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-rht-ccp.sh
    
Offset 18, 38 lines modifiedOffset 18, 120 lines modified
18 #18 #
19 #·How·to·apply·this·remediation·role:19 #·How·to·apply·this·remediation·role:
20 #·$·sudo·./remediation-role.sh20 #·$·sudo·./remediation-role.sh
21 #21 #
22 ###############################################################################22 ###############################################################################
  
23 ###############################################################################23 ###############################################################################
24 #·BEGIN·fix·(1·/·94)·for·'service_rlogin_disabled'24 #·BEGIN·fix·(1·/·94)·for·'service_atd_disabled'
25 ###############################################################################25 ###############################################################################
26 (>&2·echo·"Remediating·rule·1/94:·'service_rlogin_disabled'")26 (>&2·echo·"Remediating·rule·1/94:·'service_atd_disabled'")
 27 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 28 #
 29 #·Example·Call(s):
 30 #
 31 #·····service_command·enable·bluetooth
 32 #·····service_command·disable·bluetooth.service
 33 #
 34 #·····Using·xinetd:
 35 #·····service_command·disable·rsh.socket·xinetd=rsh
 36 #
 37 function·service_command·{
  
 38 #·Load·function·arguments·into·local·variables
 39 local·service_state=$1
 40 local·service=$2
 41 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 42 #·Check·sanity·of·the·input
 43 if·[·$#·-lt·"2"·]
 44 then
 45 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 46 ··echo
 47 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 48 ··echo·"as·the·last·argument"··
 49 ··echo·"Aborting."
 50 ··exit·1
 51 fi
  
 52 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 53 if·[·-f·"/usr/bin/systemctl"·]·;·then
 54 ··service_util="/usr/bin/systemctl"
 55 else
 56 ··service_util="/sbin/service"
 57 ··chkconfig_util="/sbin/chkconfig"
 58 fi
  
 59 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 60 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 61 if·[·"$service_state"·!=·'disable'·]·;·then
 62 ··service_state="enable"
 63 ··service_operation="start"
 64 ··chkconfig_state="on"
 65 else
 66 ··service_state="disable"
 67 ··service_operation="stop"
 68 ··chkconfig_state="off"
 69 fi
  
 70 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 71 if·[·"x$chkconfig_util"·!=·x·]·;·then
 72 ··$service_util·$service·$service_operation
 73 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 74 else
 75 ··$service_util·$service_operation·$service
 76 ··$service_util·$service_state·$service
 77 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 78 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 79 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 80 ··$service_util·reset-failed·$service
 81 fi
  
 82 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 83 #·If·empty,·then·xinetd·is·not·being·used.
 84 if·[·"x$xinetd"·!=·x·]·;·then
 85 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 86 ··if·[·"$service_operation"·=·'disable'·]·;·then
 87 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 88 ··else
 89 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 90 ··fi
 91 fi
  
 92 }
  
 93 service_command·disable·atd
 94 #·END·fix·for·'service_atd_disabled'
  
 95 ###############################################################################
 96 #·BEGIN·fix·(2·/·94)·for·'service_rlogin_disabled'
 97 ###############################################################################
 98 (>&2·echo·"Remediating·rule·2/94:·'service_rlogin_disabled'")
27 #·FIX·FOR·THIS·RULE·IS·MISSING99 #·FIX·FOR·THIS·RULE·IS·MISSING
28 #·END·fix·for·'service_rlogin_disabled'100 #·END·fix·for·'service_rlogin_disabled'
  
29 ###############################################################################101 ###############################################################################
30 #·BEGIN·fix·(2·/·94)·for·'service_rexec_disabled'102 #·BEGIN·fix·(3·/·94)·for·'service_rexec_disabled'
31 ###############################################################################103 ###############################################################################
32 (>&2·echo·"Remediating·rule·2/94:·'service_rexec_disabled'")104 (>&2·echo·"Remediating·rule·3/94:·'service_rexec_disabled'")
33 #·FIX·FOR·THIS·RULE·IS·MISSING105 #·FIX·FOR·THIS·RULE·IS·MISSING
34 #·END·fix·for·'service_rexec_disabled'106 #·END·fix·for·'service_rexec_disabled'
  
35 ###############################################################################107 ###############################################################################
36 #·BEGIN·fix·(3·/·94)·for·'service_rsh_disabled'108 #·BEGIN·fix·(4·/·94)·for·'service_rsh_disabled'
37 ###############################################################################109 ###############################################################################
38 (>&2·echo·"Remediating·rule·3/94:·'service_rsh_disabled'")110 (>&2·echo·"Remediating·rule·4/94:·'service_rsh_disabled'")
39 #·FIX·FOR·THIS·RULE·IS·MISSING111 #·FIX·FOR·THIS·RULE·IS·MISSING
40 #·END·fix·for·'service_rsh_disabled'112 #·END·fix·for·'service_rsh_disabled'
  
41 ###############################################################################113 ###############################################################################
42 #·BEGIN·fix·(4·/·94)·for·'package_rsh-server_removed'114 #·BEGIN·fix·(5·/·94)·for·'package_rsh-server_removed'
43 ###############################################################################115 ###############################################################################
44 (>&2·echo·"Remediating·rule·4/94:·'package_rsh-server_removed'")116 (>&2·echo·"Remediating·rule·5/94:·'package_rsh-server_removed'")
45 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.117 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
46 #118 #
47 #·Example·Call(s):119 #·Example·Call(s):
48 #120 #
49 #·····package_remove·telnet-server121 #·····package_remove·telnet-server
50 #122 #
51 function·package_remove·{123 function·package_remove·{
Offset 83, 17 lines modifiedOffset 165, 17 lines modified
  
83 }165 }
  
84 package_remove·rsh-server166 package_remove·rsh-server
85 #·END·fix·for·'package_rsh-server_removed'167 #·END·fix·for·'package_rsh-server_removed'
  
Max diff block lines reached; 79730/84667 bytes (94.17%) of diff not shown.
279 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-server.sh
    
Offset 45, 31 lines modifiedOffset 45, 17 lines modified
45 #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing'45 #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing'
46 ###############################################################################46 ###############################################################################
47 (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'")47 (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'")
48 #·FIX·FOR·THIS·RULE·IS·MISSING48 #·FIX·FOR·THIS·RULE·IS·MISSING
49 #·END·fix·for·'mount_option_smb_client_signing'49 #·END·fix·for·'mount_option_smb_client_signing'
  
50 ###############################################################################50 ###############################################################################
51 #·BEGIN·fix·(3·/·186)·for·'postfix_network_listening_disabled'51 #·BEGIN·fix·(3·/·186)·for·'service_ntpd_enabled'
52 ###############################################################################52 ###############################################################################
53 (>&2·echo·"Remediating·rule·3/186:·'postfix_network_listening_disabled'")53 (>&2·echo·"Remediating·rule·3/186:·'service_ntpd_enabled'")
54 #·FIX·FOR·THIS·RULE·IS·MISSING 
55 #·END·fix·for·'postfix_network_listening_disabled' 
  
56 ############################################################################### 
57 #·BEGIN·fix·(4·/·186)·for·'sysconfig_networking_bootproto_ifcfg' 
58 ############################################################################### 
59 (>&2·echo·"Remediating·rule·4/186:·'sysconfig_networking_bootproto_ifcfg'") 
60 #·FIX·FOR·THIS·RULE·IS·MISSING 
61 #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' 
  
62 ############################################################################### 
63 #·BEGIN·fix·(5·/·186)·for·'service_ntpd_enabled' 
64 ############################################################################### 
65 (>&2·echo·"Remediating·rule·5/186:·'service_ntpd_enabled'") 
66 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.54 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
67 #55 #
68 #·Example·Call(s):56 #·Example·Call(s):
69 #57 #
70 #·····service_command·enable·bluetooth58 #·····service_command·enable·bluetooth
71 #·····service_command·disable·bluetooth.service59 #·····service_command·disable·bluetooth.service
72 #60 #
Offset 141, 45 lines modifiedOffset 127, 24 lines modified
  
141 }127 }
  
142 service_command·enable·ntpd128 service_command·enable·ntpd
143 #·END·fix·for·'service_ntpd_enabled'129 #·END·fix·for·'service_ntpd_enabled'
  
144 ###############################################################################130 ###############################################################################
145 #·BEGIN·fix·(6·/·186)·for·'ntpd_specify_remote_server'131 #·BEGIN·fix·(4·/·186)·for·'ntpd_specify_remote_server'
146 ###############################################################################132 ###############################################################################
147 (>&2·echo·"Remediating·rule·6/186:·'ntpd_specify_remote_server'")133 (>&2·echo·"Remediating·rule·4/186:·'ntpd_specify_remote_server'")
148 #·FIX·FOR·THIS·RULE·IS·MISSING134 #·FIX·FOR·THIS·RULE·IS·MISSING
149 #·END·fix·for·'ntpd_specify_remote_server'135 #·END·fix·for·'ntpd_specify_remote_server'
  
150 ###############################################################################136 ###############################################################################
151 #·BEGIN·fix·(7·/·186)·for·'service_rlogin_disabled'137 #·BEGIN·fix·(5·/·186)·for·'package_openldap-servers_removed'
152 ############################################################################### 
153 (>&2·echo·"Remediating·rule·7/186:·'service_rlogin_disabled'") 
154 #·FIX·FOR·THIS·RULE·IS·MISSING 
155 #·END·fix·for·'service_rlogin_disabled' 
  
156 ############################################################################### 
157 #·BEGIN·fix·(8·/·186)·for·'service_rexec_disabled' 
158 ###############################################################################138 ###############################################################################
159 (>&2·echo·"Remediating·rule·8/186:·'service_rexec_disabled'")139 (>&2·echo·"Remediating·rule·5/186:·'package_openldap-servers_removed'")
160 #·FIX·FOR·THIS·RULE·IS·MISSING 
161 #·END·fix·for·'service_rexec_disabled' 
  
162 ############################################################################### 
163 #·BEGIN·fix·(9·/·186)·for·'service_rsh_disabled' 
164 ############################################################################### 
165 (>&2·echo·"Remediating·rule·9/186:·'service_rsh_disabled'") 
166 #·FIX·FOR·THIS·RULE·IS·MISSING 
167 #·END·fix·for·'service_rsh_disabled' 
  
168 ############################################################################### 
169 #·BEGIN·fix·(10·/·186)·for·'package_rsh-server_removed' 
170 ############################################################################### 
171 (>&2·echo·"Remediating·rule·10/186:·'package_rsh-server_removed'") 
172 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.140 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
173 #141 #
174 #·Example·Call(s):142 #·Example·Call(s):
175 #143 #
176 #·····package_remove·telnet-server144 #·····package_remove·telnet-server
177 #145 #
178 function·package_remove·{146 function·package_remove·{
Offset 209, 83 lines modifiedOffset 174, 279 lines modified
209 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"174 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
210 ··echo·"Aborting."175 ··echo·"Aborting."
211 ··exit·1176 ··exit·1
212 fi177 fi
  
213 }178 }
  
214 package_remove·rsh-server179 package_remove·openldap-servers
215 #·END·fix·for·'package_rsh-server_removed'180 #·END·fix·for·'package_openldap-servers_removed'
  
216 ###############################################################################181 ###############################################################################
217 #·BEGIN·fix·(11·/·186)·for·'no_rsh_trust_files'182 #·BEGIN·fix·(6·/·186)·for·'ldap_client_start_tls'
218 ###############################################################################183 ###############################################################################
219 (>&2·echo·"Remediating·rule·11/186:·'no_rsh_trust_files'")184 (>&2·echo·"Remediating·rule·6/186:·'ldap_client_start_tls'")
220 find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; 
  
221 if·[·-f·/etc/hosts.equiv·];·then 
222 »       /bin/rm·-f·/etc/hosts.equiv185 #·Use·LDAP·for·authentication
223 fi186 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
224 #·END·fix·for·'no_rsh_trust_files'187 #·it·does·not·exist.
 188 #
 189 #·Expects·arguments:
 190 #
 191 #·config_file:»  »  Configuration·file·that·will·be·modified
 192 #·key:»  »  »  Configuration·option·to·change
 193 #·value:»»Value·of·the·configuration·option·to·change
 194 #·cce:»  »  »  The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists
 195 #·format:»       »       The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments,
 196 #»      »      »      so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=)
 197 #
 198 #·Optional·arugments:
 199 #
 200 #·format:»       »       Optional·argument·to·specify·the·format·of·how·key/value·should·be
 201 #·»      »      »      modified/appended·in·the·configuration·file.·The·default·is·key·=·value.
 202 #
 203 #·Example·Call(s):
 204 #
 205 #·····With·default·format·of·'key·=·value':
 206 #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@'
 207 #
 208 #·····With·custom·key/value·format:
 209 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s'
 210 #
 211 #·····With·a·variable:
 212 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s'
 213 #
 214 function·replace_or_append·{
 215 ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option=''
 216 ··local·config_file=$1
Max diff block lines reached; 274005/285608 bytes (95.94%) of diff not shown.
275 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-standard.sh
    
Offset 46, 24 lines modifiedOffset 46, 17 lines modified
46 #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing'46 #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing'
47 ###############################################################################47 ###############################################################################
48 (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'")48 (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'")
49 #·FIX·FOR·THIS·RULE·IS·MISSING49 #·FIX·FOR·THIS·RULE·IS·MISSING
50 #·END·fix·for·'mount_option_smb_client_signing'50 #·END·fix·for·'mount_option_smb_client_signing'
  
51 ###############################################################################51 ###############################################################################
52 #·BEGIN·fix·(3·/·182)·for·'postfix_network_listening_disabled'52 #·BEGIN·fix·(3·/·182)·for·'service_ntpd_enabled'
53 ###############################################################################53 ###############################################################################
54 (>&2·echo·"Remediating·rule·3/182:·'postfix_network_listening_disabled'")54 (>&2·echo·"Remediating·rule·3/182:·'service_ntpd_enabled'")
55 #·FIX·FOR·THIS·RULE·IS·MISSING 
56 #·END·fix·for·'postfix_network_listening_disabled' 
  
57 ############################################################################### 
58 #·BEGIN·fix·(4·/·182)·for·'service_ntpd_enabled' 
59 ############################################################################### 
60 (>&2·echo·"Remediating·rule·4/182:·'service_ntpd_enabled'") 
61 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.55 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
62 #56 #
63 #·Example·Call(s):57 #·Example·Call(s):
64 #58 #
65 #·····service_command·enable·bluetooth59 #·····service_command·enable·bluetooth
66 #·····service_command·disable·bluetooth.service60 #·····service_command·disable·bluetooth.service
67 #61 #
Offset 135, 45 lines modifiedOffset 128, 24 lines modified
  
135 }128 }
  
136 service_command·enable·ntpd129 service_command·enable·ntpd
137 #·END·fix·for·'service_ntpd_enabled'130 #·END·fix·for·'service_ntpd_enabled'
  
138 ###############################################################################131 ###############################################################################
139 #·BEGIN·fix·(5·/·182)·for·'ntpd_specify_remote_server'132 #·BEGIN·fix·(4·/·182)·for·'ntpd_specify_remote_server'
140 ###############################################################################133 ###############################################################################
141 (>&2·echo·"Remediating·rule·5/182:·'ntpd_specify_remote_server'")134 (>&2·echo·"Remediating·rule·4/182:·'ntpd_specify_remote_server'")
142 #·FIX·FOR·THIS·RULE·IS·MISSING135 #·FIX·FOR·THIS·RULE·IS·MISSING
143 #·END·fix·for·'ntpd_specify_remote_server'136 #·END·fix·for·'ntpd_specify_remote_server'
  
144 ###############################################################################137 ###############################################################################
145 #·BEGIN·fix·(6·/·182)·for·'service_rlogin_disabled'138 #·BEGIN·fix·(5·/·182)·for·'package_openldap-servers_removed'
146 ############################################################################### 
147 (>&2·echo·"Remediating·rule·6/182:·'service_rlogin_disabled'") 
148 #·FIX·FOR·THIS·RULE·IS·MISSING 
149 #·END·fix·for·'service_rlogin_disabled' 
  
150 ############################################################################### 
151 #·BEGIN·fix·(7·/·182)·for·'service_rexec_disabled' 
152 ############################################################################### 
153 (>&2·echo·"Remediating·rule·7/182:·'service_rexec_disabled'") 
154 #·FIX·FOR·THIS·RULE·IS·MISSING 
155 #·END·fix·for·'service_rexec_disabled' 
  
156 ############################################################################### 
157 #·BEGIN·fix·(8·/·182)·for·'service_rsh_disabled' 
158 ###############################################################################139 ###############################################################################
159 (>&2·echo·"Remediating·rule·8/182:·'service_rsh_disabled'")140 (>&2·echo·"Remediating·rule·5/182:·'package_openldap-servers_removed'")
160 #·FIX·FOR·THIS·RULE·IS·MISSING 
161 #·END·fix·for·'service_rsh_disabled' 
  
162 ############################################################################### 
163 #·BEGIN·fix·(9·/·182)·for·'package_rsh-server_removed' 
164 ############################################################################### 
165 (>&2·echo·"Remediating·rule·9/182:·'package_rsh-server_removed'") 
166 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.141 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
167 #142 #
168 #·Example·Call(s):143 #·Example·Call(s):
169 #144 #
170 #·····package_remove·telnet-server145 #·····package_remove·telnet-server
171 #146 #
172 function·package_remove·{147 function·package_remove·{
Offset 203, 83 lines modifiedOffset 175, 279 lines modified
203 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"175 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
204 ··echo·"Aborting."176 ··echo·"Aborting."
205 ··exit·1177 ··exit·1
206 fi178 fi
  
207 }179 }
  
208 package_remove·rsh-server180 package_remove·openldap-servers
209 #·END·fix·for·'package_rsh-server_removed'181 #·END·fix·for·'package_openldap-servers_removed'
  
210 ###############################################################################182 ###############################################################################
211 #·BEGIN·fix·(10·/·182)·for·'no_rsh_trust_files'183 #·BEGIN·fix·(6·/·182)·for·'ldap_client_start_tls'
212 ###############################################################################184 ###############################################################################
213 (>&2·echo·"Remediating·rule·10/182:·'no_rsh_trust_files'")185 (>&2·echo·"Remediating·rule·6/182:·'ldap_client_start_tls'")
214 find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; 
  
215 if·[·-f·/etc/hosts.equiv·];·then 
216 »       /bin/rm·-f·/etc/hosts.equiv186 #·Use·LDAP·for·authentication
217 fi187 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
218 #·END·fix·for·'no_rsh_trust_files'188 #·it·does·not·exist.
 189 #
 190 #·Expects·arguments:
 191 #
 192 #·config_file:»  »  Configuration·file·that·will·be·modified
 193 #·key:»  »  »  Configuration·option·to·change
 194 #·value:»»Value·of·the·configuration·option·to·change
 195 #·cce:»  »  »  The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists
 196 #·format:»       »       The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments,
 197 #»      »      »      so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=)
 198 #
 199 #·Optional·arugments:
 200 #
 201 #·format:»       »       Optional·argument·to·specify·the·format·of·how·key/value·should·be
 202 #·»      »      »      modified/appended·in·the·configuration·file.·The·default·is·key·=·value.
 203 #
 204 #·Example·Call(s):
 205 #
 206 #·····With·default·format·of·'key·=·value':
 207 #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@'
 208 #
 209 #·····With·custom·key/value·format:
 210 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s'
 211 #
 212 #·····With·a·variable:
 213 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s'
 214 #
 215 function·replace_or_append·{
 216 ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option=''
 217 ··local·config_file=$1
 218 ··local·key=$2
 219 ··local·value=$3
 220 ··local·cce=$4
 221 ··local·format=$5
  
 222 ··if·[·"$case_insensitive_mode"·=·yes·];·then
 223 ····sed_case_insensitive_option="i"
Max diff block lines reached; 270022/281230 bytes (96.01%) of diff not shown.
351 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-stig-rhel6-disa.sh
    
Offset 25, 17 lines modifiedOffset 25, 31 lines modified
25 #25 #
26 #·How·to·apply·this·remediation·role:26 #·How·to·apply·this·remediation·role:
27 #·$·sudo·./remediation-role.sh27 #·$·sudo·./remediation-role.sh
28 #28 #
29 ###############################################################################29 ###############################################################################
  
30 ###############################################################################30 ###############################################################################
31 #·BEGIN·fix·(1·/·250)·for·'require_smb_client_signing'31 #·BEGIN·fix·(1·/·250)·for·'ftp_log_transactions'
32 ###############################################################################32 ###############################################################################
33 (>&2·echo·"Remediating·rule·1/250:·'require_smb_client_signing'")33 (>&2·echo·"Remediating·rule·1/250:·'ftp_log_transactions'")
 34 #·FIX·FOR·THIS·RULE·IS·MISSING
 35 #·END·fix·for·'ftp_log_transactions'
  
 36 ###############################################################################
 37 #·BEGIN·fix·(2·/·250)·for·'ftp_present_banner'
 38 ###############################################################################
 39 (>&2·echo·"Remediating·rule·2/250:·'ftp_present_banner'")
 40 #·FIX·FOR·THIS·RULE·IS·MISSING
 41 #·END·fix·for·'ftp_present_banner'
  
 42 ###############################################################################
 43 #·BEGIN·fix·(3·/·250)·for·'require_smb_client_signing'
 44 ###############################################################################
 45 (>&2·echo·"Remediating·rule·3/250:·'require_smb_client_signing'")
34 ######################################################################46 ######################################################################
35 #By·Luke·"Brisk-OH"·Brisk47 #By·Luke·"Brisk-OH"·Brisk
36 #luke.brisk@boeing.com·or·luke.brisk@gmail.com48 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
37 ######################################################################49 ######################################################################
  
38 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)50 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
Offset 44, 38 lines modifiedOffset 58, 113 lines modified
44 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf58 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
45 else59 else
46 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf60 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
47 fi61 fi
48 #·END·fix·for·'require_smb_client_signing'62 #·END·fix·for·'require_smb_client_signing'
  
49 ###############################################################################63 ###############################################################################
50 #·BEGIN·fix·(2·/·250)·for·'mount_option_smb_client_signing'64 #·BEGIN·fix·(4·/·250)·for·'mount_option_smb_client_signing'
51 ###############################################################################65 ###############################################################################
52 (>&2·echo·"Remediating·rule·2/250:·'mount_option_smb_client_signing'")66 (>&2·echo·"Remediating·rule·4/250:·'mount_option_smb_client_signing'")
53 #·FIX·FOR·THIS·RULE·IS·MISSING67 #·FIX·FOR·THIS·RULE·IS·MISSING
54 #·END·fix·for·'mount_option_smb_client_signing'68 #·END·fix·for·'mount_option_smb_client_signing'
  
55 ###############################################################################69 ###############################################################################
56 #·BEGIN·fix·(3·/·250)·for·'postfix_client_configure_mail_alias'70 #·BEGIN·fix·(5·/·250)·for·'service_ntpd_enabled'
57 ###############################################################################71 ###############################################################################
58 (>&2·echo·"Remediating·rule·3/250:·'postfix_client_configure_mail_alias'")72 (>&2·echo·"Remediating·rule·5/250:·'service_ntpd_enabled'")
59 #·FIX·FOR·THIS·RULE·IS·MISSING73 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
60 #·END·fix·for·'postfix_client_configure_mail_alias'74 #
 75 #·Example·Call(s):
 76 #
 77 #·····service_command·enable·bluetooth
 78 #·····service_command·disable·bluetooth.service
 79 #
 80 #·····Using·xinetd:
 81 #·····service_command·disable·rsh.socket·xinetd=rsh
 82 #
 83 function·service_command·{
  
 84 #·Load·function·arguments·into·local·variables
 85 local·service_state=$1
 86 local·service=$2
 87 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 88 #·Check·sanity·of·the·input
 89 if·[·$#·-lt·"2"·]
 90 then
 91 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 92 ··echo
 93 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 94 ··echo·"as·the·last·argument"··
 95 ··echo·"Aborting."
 96 ··exit·1
 97 fi
  
 98 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 99 if·[·-f·"/usr/bin/systemctl"·]·;·then
 100 ··service_util="/usr/bin/systemctl"
 101 else
 102 ··service_util="/sbin/service"
 103 ··chkconfig_util="/sbin/chkconfig"
 104 fi
  
 105 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 106 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 107 if·[·"$service_state"·!=·'disable'·]·;·then
 108 ··service_state="enable"
 109 ··service_operation="start"
 110 ··chkconfig_state="on"
 111 else
 112 ··service_state="disable"
 113 ··service_operation="stop"
 114 ··chkconfig_state="off"
 115 fi
  
 116 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 117 if·[·"x$chkconfig_util"·!=·x·]·;·then
 118 ··$service_util·$service·$service_operation
 119 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 120 else
 121 ··$service_util·$service_operation·$service
 122 ··$service_util·$service_state·$service
 123 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 124 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 125 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 126 ··$service_util·reset-failed·$service
 127 fi
  
 128 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 129 #·If·empty,·then·xinetd·is·not·being·used.
 130 if·[·"x$xinetd"·!=·x·]·;·then
 131 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 132 ··if·[·"$service_operation"·=·'disable'·]·;·then
 133 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 134 ··else
 135 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 136 ··fi
 137 fi
  
 138 }
  
 139 service_command·enable·ntpd
 140 #·END·fix·for·'service_ntpd_enabled'
  
Max diff block lines reached; 353872/359166 bytes (98.53%) of diff not shown.
386 KB
./usr/share/scap-security-guide/bash/ssg-rhel6-role-usgcb-rhel6-server.sh
    
Offset 19, 17 lines modifiedOffset 19, 17 lines modified
19 #19 #
20 #·How·to·apply·this·remediation·role:20 #·How·to·apply·this·remediation·role:
21 #·$·sudo·./remediation-role.sh21 #·$·sudo·./remediation-role.sh
22 #22 #
23 ###############################################################################23 ###############################################################################
  
24 ###############################################################################24 ###############################################################################
25 #·BEGIN·fix·(1·/·223)·for·'service_smb_disabled'25 #·BEGIN·fix·(1·/·223)·for·'service_vsftpd_disabled'
26 ###############################################################################26 ###############################################################################
27 (>&2·echo·"Remediating·rule·1/223:·'service_smb_disabled'")27 (>&2·echo·"Remediating·rule·1/223:·'service_vsftpd_disabled'")
28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
29 #29 #
30 #·Example·Call(s):30 #·Example·Call(s):
31 #31 #
32 #·····service_command·enable·bluetooth32 #·····service_command·enable·bluetooth
33 #·····service_command·disable·bluetooth.service33 #·····service_command·disable·bluetooth.service
34 #34 #
Offset 97, 47 lines modifiedOffset 97, 65 lines modified
97 ··else97 ··else
98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
99 ··fi99 ··fi
100 fi100 fi
  
101 }101 }
  
102 service_command·disable·smb102 service_command·disable·vsftpd
103 #·END·fix·for·'service_smb_disabled'103 #·END·fix·for·'service_vsftpd_disabled'
  
104 ###############################################################################104 ###############################################################################
105 #·BEGIN·fix·(2·/·223)·for·'require_smb_client_signing'105 #·BEGIN·fix·(2·/·223)·for·'package_vsftpd_removed'
106 ###############################################################################106 ###############################################################################
107 (>&2·echo·"Remediating·rule·2/223:·'require_smb_client_signing'")107 (>&2·echo·"Remediating·rule·2/223:·'package_vsftpd_removed'")
108 ######################################################################108 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
109 #By·Luke·"Brisk-OH"·Brisk109 #
110 #luke.brisk@boeing.com·or·luke.brisk@gmail.com110 #·Example·Call(s):
111 ######################################################################111 #
 112 #·····package_remove·telnet-server
 113 #
 114 function·package_remove·{
  
112 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)115 #·Load·function·arguments·into·local·variables
 116 local·package="$1"
  
113 if·[·"$CLIENTSIGNING"·-eq·0·];··then117 #·Check·sanity·of·the·input
114 »       #·Add·to·global·section118 if·[·$#·-ne·"1"·]
115 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf119 then
 120 ··echo·"Usage:·package_remove·'package_name'"
 121 ··echo·"Aborting."
 122 ··exit·1
 123 fi
  
 124 if·which·dnf·;·then
 125 ··if·rpm·-q·--quiet·"$package";·then
 126 ····dnf·remove·-y·"$package"
 127 ··fi
 128 elif·which·yum·;·then
 129 ··if·rpm·-q·--quiet·"$package";·then
 130 ····yum·remove·-y·"$package"
 131 ··fi
 132 elif·which·apt-get·;·then
 133 ··apt-get·remove·-y·"$package"
116 else134 else
117 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf135 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 136 ··echo·"Aborting."
 137 ··exit·1
118 fi138 fi
119 #·END·fix·for·'require_smb_client_signing' 
  
120 ###############################################################################139 }
121 #·BEGIN·fix·(3·/·223)·for·'mount_option_smb_client_signing' 
122 ###############################################################################140 package_remove·vsftpd
123 (>&2·echo·"Remediating·rule·3/223:·'mount_option_smb_client_signing'")141 #·END·fix·for·'package_vsftpd_removed'
124 #·FIX·FOR·THIS·RULE·IS·MISSING 
125 #·END·fix·for·'mount_option_smb_client_signing' 
  
126 ###############################################################################142 ###############################################################################
127 #·BEGIN·fix·(4·/·223)·for·'service_httpd_disabled'143 #·BEGIN·fix·(3·/·223)·for·'service_httpd_disabled'
128 ###############################################################################144 ###############################################################################
129 (>&2·echo·"Remediating·rule·4/223:·'service_httpd_disabled'")145 (>&2·echo·"Remediating·rule·3/223:·'service_httpd_disabled'")
130 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.146 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
131 #147 #
132 #·Example·Call(s):148 #·Example·Call(s):
133 #149 #
134 #·····service_command·enable·bluetooth150 #·····service_command·enable·bluetooth
135 #·····service_command·disable·bluetooth.service151 #·····service_command·disable·bluetooth.service
136 #152 #
Offset 209, 17 lines modifiedOffset 227, 17 lines modified
  
209 }227 }
  
210 service_command·disable·httpd228 service_command·disable·httpd
211 #·END·fix·for·'service_httpd_disabled'229 #·END·fix·for·'service_httpd_disabled'
  
212 ###############################################################################230 ###############################################################################
213 #·BEGIN·fix·(5·/·223)·for·'package_httpd_removed'231 #·BEGIN·fix·(4·/·223)·for·'package_httpd_removed'
214 ###############################################################################232 ###############################################################################
215 (>&2·echo·"Remediating·rule·5/223:·'package_httpd_removed'")233 (>&2·echo·"Remediating·rule·4/223:·'package_httpd_removed'")
216 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.234 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
217 #235 #
218 #·Example·Call(s):236 #·Example·Call(s):
219 #237 #
220 #·····package_remove·telnet-server238 #·····package_remove·telnet-server
221 #239 #
222 function·package_remove·{240 function·package_remove·{
Offset 253, 68 lines modifiedOffset 271, 99 lines modified
  
253 }271 }
  
254 package_remove·httpd272 package_remove·httpd
255 #·END·fix·for·'package_httpd_removed'273 #·END·fix·for·'package_httpd_removed'
  
256 ###############################################################################274 ###############################################################################
257 #·BEGIN·fix·(6·/·223)·for·'postfix_network_listening_disabled'275 #·BEGIN·fix·(5·/·223)·for·'service_named_disabled'
258 ############################################################################### 
259 (>&2·echo·"Remediating·rule·6/223:·'postfix_network_listening_disabled'") 
260 #·FIX·FOR·THIS·RULE·IS·MISSING 
261 #·END·fix·for·'postfix_network_listening_disabled' 
  
262 ############################################################################### 
263 #·BEGIN·fix·(7·/·223)·for·'package_sendmail_removed' 
264 ###############################################################################276 ###############################################################################
265 (>&2·echo·"Remediating·rule·7/223:·'package_sendmail_removed'")277 (>&2·echo·"Remediating·rule·5/223:·'service_named_disabled'")
266 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.278 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
267 #279 #
268 #·Example·Call(s):280 #·Example·Call(s):
269 #281 #
270 #·····package_remove·telnet-server282 #·····service_command·enable·bluetooth
Max diff block lines reached; 388953/394659 bytes (98.55%) of diff not shown.
134 KB
./usr/share/scap-security-guide/bash/ssg-rhel7-role-C2S.sh
    
Offset 369, 17 lines modifiedOffset 369, 61 lines modified
  
369 }369 }
  
370 service_command·disable·tftp370 service_command·disable·tftp
371 #·END·fix·for·'service_tftp_disabled'371 #·END·fix·for·'service_tftp_disabled'
  
372 ###############################################################################372 ###############################################################################
373 #·BEGIN·fix·(11·/·213)·for·'service_xinetd_disabled'373 #·BEGIN·fix·(11·/·213)·for·'package_tcp_wrappers_installed'
374 ###############################################################################374 ###############################################################################
375 (>&2·echo·"Remediating·rule·11/213:·'service_xinetd_disabled'")375 (>&2·echo·"Remediating·rule·11/213:·'package_tcp_wrappers_installed'")
 376 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 377 #
 378 #·Example·Call(s):
 379 #
 380 #·····package_install·aide
 381 #
 382 function·package_install·{
  
 383 #·Load·function·arguments·into·local·variables
 384 local·package="$1"
  
 385 #·Check·sanity·of·the·input
 386 if·[·$#·-ne·"1"·]
 387 then
 388 ··echo·"Usage:·package_install·'package_name'"
 389 ··echo·"Aborting."
 390 ··exit·1
 391 fi
  
 392 if·which·dnf·;·then
 393 ··if·!·rpm·-q·--quiet·"$package";·then
 394 ····dnf·install·-y·"$package"
 395 ··fi
 396 elif·which·yum·;·then
 397 ··if·!·rpm·-q·--quiet·"$package";·then
 398 ····yum·install·-y·"$package"
 399 ··fi
 400 elif·which·apt-get·;·then
 401 ··apt-get·install·-y·"$package"
 402 else
 403 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 404 ··echo·"Aborting."
 405 ··exit·1
 406 fi
  
 407 }
  
 408 package_install·tcp_wrappers
 409 #·END·fix·for·'package_tcp_wrappers_installed'
  
 410 ###############################################################################
 411 #·BEGIN·fix·(12·/·213)·for·'service_xinetd_disabled'
 412 ###############################################################################
 413 (>&2·echo·"Remediating·rule·12/213:·'service_xinetd_disabled'")
376 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.414 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
377 #415 #
378 #·Example·Call(s):416 #·Example·Call(s):
379 #417 #
380 #·····service_command·enable·bluetooth418 #·····service_command·enable·bluetooth
381 #·····service_command·disable·bluetooth.service419 #·····service_command·disable·bluetooth.service
382 #420 #
Offset 451, 61 lines modifiedOffset 495, 61 lines modified
  
451 }495 }
  
452 service_command·disable·xinetd496 service_command·disable·xinetd
453 #·END·fix·for·'service_xinetd_disabled'497 #·END·fix·for·'service_xinetd_disabled'
  
454 ###############################################################################498 ###############################################################################
455 #·BEGIN·fix·(12·/·213)·for·'package_tcp_wrappers_installed'499 #·BEGIN·fix·(13·/·213)·for·'package_talk_removed'
456 ###############################################################################500 ###############################################################################
457 (>&2·echo·"Remediating·rule·12/213:·'package_tcp_wrappers_installed'")501 (>&2·echo·"Remediating·rule·13/213:·'package_talk_removed'")
458 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.502 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
459 #503 #
460 #·Example·Call(s):504 #·Example·Call(s):
461 #505 #
462 #·····package_install·aide506 #·····package_remove·telnet-server
463 #507 #
464 function·package_install·{508 function·package_remove·{
  
465 #·Load·function·arguments·into·local·variables509 #·Load·function·arguments·into·local·variables
466 local·package="$1"510 local·package="$1"
  
467 #·Check·sanity·of·the·input511 #·Check·sanity·of·the·input
468 if·[·$#·-ne·"1"·]512 if·[·$#·-ne·"1"·]
469 then513 then
470 ··echo·"Usage:·package_install·'package_name'"514 ··echo·"Usage:·package_remove·'package_name'"
471 ··echo·"Aborting."515 ··echo·"Aborting."
472 ··exit·1516 ··exit·1
473 fi517 fi
  
474 if·which·dnf·;·then518 if·which·dnf·;·then
475 ··if·!·rpm·-q·--quiet·"$package";·then519 ··if·rpm·-q·--quiet·"$package";·then
476 ····dnf·install·-y·"$package"520 ····dnf·remove·-y·"$package"
477 ··fi521 ··fi
478 elif·which·yum·;·then522 elif·which·yum·;·then
479 ··if·!·rpm·-q·--quiet·"$package";·then523 ··if·rpm·-q·--quiet·"$package";·then
480 ····yum·install·-y·"$package"524 ····yum·remove·-y·"$package"
481 ··fi525 ··fi
482 elif·which·apt-get·;·then526 elif·which·apt-get·;·then
483 ··apt-get·install·-y·"$package"527 ··apt-get·remove·-y·"$package"
484 else528 else
485 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"529 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
486 ··echo·"Aborting."530 ··echo·"Aborting."
487 ··exit·1531 ··exit·1
488 fi532 fi
  
489 }533 }
  
490 package_install·tcp_wrappers534 package_remove·talk
491 #·END·fix·for·'package_tcp_wrappers_installed'535 #·END·fix·for·'package_talk_removed'
  
492 ###############################################################################536 ###############################################################################
493 #·BEGIN·fix·(13·/·213)·for·'package_talk_removed'537 #·BEGIN·fix·(14·/·213)·for·'package_talk-server_removed'
494 ###############################################################################538 ###############################################################################
495 (>&2·echo·"Remediating·rule·13/213:·'package_talk_removed'")539 (>&2·echo·"Remediating·rule·14/213:·'package_talk-server_removed'")
496 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.540 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
497 #541 #
498 #·Example·Call(s):542 #·Example·Call(s):
499 #543 #
500 #·····package_remove·telnet-server544 #·····package_remove·telnet-server
501 #545 #
502 function·package_remove·{546 function·package_remove·{
Offset 535, 65 lines modifiedOffset 579, 103 lines modified
535 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"579 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
536 ··echo·"Aborting."580 ··echo·"Aborting."
537 ··exit·1581 ··exit·1
Max diff block lines reached; 132822/137164 bytes (96.83%) of diff not shown.
74.1 KB
./usr/share/scap-security-guide/bash/ssg-rhel7-role-cjis.sh
    
Offset 192, 17 lines modifiedOffset 192, 19 lines modified
192 ··fi192 ··fi
193 }193 }
  
194 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'194 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
195 #·END·fix·for·'sshd_set_keepalive'195 #·END·fix·for·'sshd_set_keepalive'
  
196 ###############################################################################196 ###############################################################################
197 #·BEGIN·fix·(3·/·102)·for·'sshd_enable_warning_banner'197 #·BEGIN·fix·(3·/·102)·for·'sshd_set_idle_timeout'
198 ###############################################################################198 ###############################################################################
199 (>&2·echo·"Remediating·rule·3/102:·'sshd_enable_warning_banner'")199 (>&2·echo·"Remediating·rule·3/102:·'sshd_set_idle_timeout'")
  
 200 sshd_idle_timeout_value="1800"
200 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if201 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
201 #·it·does·not·exist.202 #·it·does·not·exist.
202 #203 #
203 #·Expects·arguments:204 #·Expects·arguments:
204 #205 #
205 #·config_file:»  »  Configuration·file·that·will·be·modified206 #·config_file:»  »  Configuration·file·that·will·be·modified
206 #·key:»  »  »  Configuration·option·to·change207 #·key:»  »  »  Configuration·option·to·change
Offset 273, 21 lines modifiedOffset 275, 21 lines modified
273 ··else275 ··else
274 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline276 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
275 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"277 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
276 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"278 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
277 ··fi279 ··fi
278 }280 }
  
279 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'281 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
280 #·END·fix·for·'sshd_enable_warning_banner'282 #·END·fix·for·'sshd_set_idle_timeout'
  
281 ###############################################################################283 ###############################################################################
282 #·BEGIN·fix·(4·/·102)·for·'sshd_do_not_permit_user_env'284 #·BEGIN·fix·(4·/·102)·for·'sshd_enable_warning_banner'
283 ###############################################################################285 ###############################################################################
284 (>&2·echo·"Remediating·rule·4/102:·'sshd_do_not_permit_user_env'")286 (>&2·echo·"Remediating·rule·4/102:·'sshd_enable_warning_banner'")
285 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if287 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
286 #·it·does·not·exist.288 #·it·does·not·exist.
287 #289 #
288 #·Expects·arguments:290 #·Expects·arguments:
289 #291 #
290 #·config_file:»  »  Configuration·file·that·will·be·modified292 #·config_file:»  »  Configuration·file·that·will·be·modified
291 #·key:»  »  »  Configuration·option·to·change293 #·key:»  »  »  Configuration·option·to·change
Offset 358, 16 lines modifiedOffset 360, 16 lines modified
358 ··else360 ··else
359 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline361 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
360 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"362 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
361 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"363 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
362 ··fi364 ··fi
363 }365 }
  
364 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'366 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'
365 #·END·fix·for·'sshd_do_not_permit_user_env'367 #·END·fix·for·'sshd_enable_warning_banner'
  
366 ###############################################################################368 ###############################################################################
367 #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2'369 #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2'
368 ###############################################################################370 ###############################################################################
369 (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'")371 (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'")
370 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if372 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
371 #·it·does·not·exist.373 #·it·does·not·exist.
Offset 532, 19 lines modifiedOffset 534, 17 lines modified
532 ··fi534 ··fi
533 }535 }
  
534 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'536 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'
535 #·END·fix·for·'sshd_disable_rhosts'537 #·END·fix·for·'sshd_disable_rhosts'
  
536 ###############################################################################538 ###############################################################################
537 #·BEGIN·fix·(7·/·102)·for·'sshd_set_idle_timeout'539 #·BEGIN·fix·(7·/·102)·for·'sshd_do_not_permit_user_env'
538 ###############################################################################540 ###############################################################################
539 (>&2·echo·"Remediating·rule·7/102:·'sshd_set_idle_timeout'")541 (>&2·echo·"Remediating·rule·7/102:·'sshd_do_not_permit_user_env'")
  
540 sshd_idle_timeout_value="1800" 
541 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if542 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
542 #·it·does·not·exist.543 #·it·does·not·exist.
543 #544 #
544 #·Expects·arguments:545 #·Expects·arguments:
545 #546 #
546 #·config_file:»  »  Configuration·file·that·will·be·modified547 #·config_file:»  »  Configuration·file·that·will·be·modified
547 #·key:»  »  »  Configuration·option·to·change548 #·key:»  »  »  Configuration·option·to·change
Offset 615, 16 lines modifiedOffset 615, 16 lines modified
615 ··else615 ··else
616 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline616 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
617 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"617 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
618 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"618 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
619 ··fi619 ··fi
620 }620 }
  
621 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'621 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'
622 #·END·fix·for·'sshd_set_idle_timeout'622 #·END·fix·for·'sshd_do_not_permit_user_env'
  
623 ###############################################################################623 ###############################################################################
624 #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers'624 #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers'
625 ###############################################################################625 ###############################################################################
626 (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'")626 (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'")
627 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if627 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
628 #·it·does·not·exist.628 #·it·does·not·exist.
Offset 1193, 19 lines modifiedOffset 1193, 17 lines modified
1193 include_dconf_settings1193 include_dconf_settings
  
1194 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'1194 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'
1195 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'1195 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'
1196 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'1196 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'
  
1197 ###############################################################################1197 ###############################################################################
1198 #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_idle_delay'1198 #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_mode_blank'
1199 ###############################################################################1199 ###############################################################################
1200 (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_idle_delay'")1200 (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_mode_blank'")
  
1201 inactivity_timeout_value="1800" 
1202 function·include_dconf_settings·{1201 function·include_dconf_settings·{
1203 »       :1202 »       :
1204 }1203 }
  
1205 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.1204 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
1206 #1205 #
1207 #·Example·Call(s):1206 #·Example·Call(s):
Offset 1273, 22 lines modifiedOffset 1271, 24 lines modified
1273 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"1271 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"
1274 »       fi1272 »       fi
1275 }1273 }
  
  
1276 include_dconf_settings1274 include_dconf_settings
  
1277 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'1275 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'
1278 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'1276 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'
1279 #·END·fix·for·'dconf_gnome_screensaver_idle_delay'1277 #·END·fix·for·'dconf_gnome_screensaver_mode_blank'
  
Max diff block lines reached; 69231/75731 bytes (91.42%) of diff not shown.
98.1 KB
./usr/share/scap-security-guide/bash/ssg-rhel7-role-hipaa.sh
    
Offset 285, 17 lines modifiedOffset 285, 61 lines modified
  
285 }285 }
  
286 package_remove·telnet-server286 package_remove·telnet-server
287 #·END·fix·for·'package_telnet-server_removed'287 #·END·fix·for·'package_telnet-server_removed'
  
288 ###############################################################################288 ###############################################################################
289 #·BEGIN·fix·(10·/·149)·for·'service_ypbind_disabled'289 #·BEGIN·fix·(10·/·149)·for·'package_ypbind_removed'
290 ###############################################################################290 ###############################################################################
291 (>&2·echo·"Remediating·rule·10/149:·'service_ypbind_disabled'")291 (>&2·echo·"Remediating·rule·10/149:·'package_ypbind_removed'")
 292 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 293 #
 294 #·Example·Call(s):
 295 #
 296 #·····package_remove·telnet-server
 297 #
 298 function·package_remove·{
  
 299 #·Load·function·arguments·into·local·variables
 300 local·package="$1"
  
 301 #·Check·sanity·of·the·input
 302 if·[·$#·-ne·"1"·]
 303 then
 304 ··echo·"Usage:·package_remove·'package_name'"
 305 ··echo·"Aborting."
 306 ··exit·1
 307 fi
  
 308 if·which·dnf·;·then
 309 ··if·rpm·-q·--quiet·"$package";·then
 310 ····dnf·remove·-y·"$package"
 311 ··fi
 312 elif·which·yum·;·then
 313 ··if·rpm·-q·--quiet·"$package";·then
 314 ····yum·remove·-y·"$package"
 315 ··fi
 316 elif·which·apt-get·;·then
 317 ··apt-get·remove·-y·"$package"
 318 else
 319 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 320 ··echo·"Aborting."
 321 ··exit·1
 322 fi
  
 323 }
  
 324 package_remove·ypbind
 325 #·END·fix·for·'package_ypbind_removed'
  
 326 ###############################################################################
 327 #·BEGIN·fix·(11·/·149)·for·'service_ypbind_disabled'
 328 ###############################################################################
 329 (>&2·echo·"Remediating·rule·11/149:·'service_ypbind_disabled'")
292 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.330 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
293 #331 #
294 #·Example·Call(s):332 #·Example·Call(s):
295 #333 #
296 #·····service_command·enable·bluetooth334 #·····service_command·enable·bluetooth
297 #·····service_command·disable·bluetooth.service335 #·····service_command·disable·bluetooth.service
298 #336 #
Offset 367, 58 lines modifiedOffset 411, 14 lines modified
  
367 }411 }
  
368 service_command·disable·ypbind412 service_command·disable·ypbind
369 #·END·fix·for·'service_ypbind_disabled'413 #·END·fix·for·'service_ypbind_disabled'
  
370 ###############################################################################414 ###############################################################################
371 #·BEGIN·fix·(11·/·149)·for·'package_ypbind_removed' 
372 ############################################################################### 
373 (>&2·echo·"Remediating·rule·11/149:·'package_ypbind_removed'") 
374 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
375 # 
376 #·Example·Call(s): 
377 # 
378 #·····package_remove·telnet-server 
379 # 
380 function·package_remove·{ 
  
381 #·Load·function·arguments·into·local·variables 
382 local·package="$1" 
  
383 #·Check·sanity·of·the·input 
384 if·[·$#·-ne·"1"·] 
385 then 
386 ··echo·"Usage:·package_remove·'package_name'" 
387 ··echo·"Aborting." 
388 ··exit·1 
389 fi 
  
390 if·which·dnf·;·then 
391 ··if·rpm·-q·--quiet·"$package";·then 
392 ····dnf·remove·-y·"$package" 
393 ··fi 
394 elif·which·yum·;·then 
395 ··if·rpm·-q·--quiet·"$package";·then 
396 ····yum·remove·-y·"$package" 
397 ··fi 
398 elif·which·apt-get·;·then 
399 ··apt-get·remove·-y·"$package" 
400 else 
401 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
402 ··echo·"Aborting." 
403 ··exit·1 
404 fi 
  
405 } 
  
406 package_remove·ypbind 
407 #·END·fix·for·'package_ypbind_removed' 
  
408 ############################################################################### 
409 #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed'415 #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed'
410 ###############################################################################416 ###############################################################################
411 (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'")417 (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'")
412 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.418 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
413 #419 #
414 #·Example·Call(s):420 #·Example·Call(s):
415 #421 #
Offset 922, 17 lines modifiedOffset 922, 17 lines modified
922 #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports'922 #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports'
923 ###############################################################################923 ###############################################################################
924 (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'")924 (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'")
925 #·FIX·FOR·THIS·RULE·IS·MISSING925 #·FIX·FOR·THIS·RULE·IS·MISSING
926 #·END·fix·for·'use_kerberos_security_all_exports'926 #·END·fix·for·'use_kerberos_security_all_exports'
  
Max diff block lines reached; 96537/100366 bytes (96.18%) of diff not shown.
226 KB
./usr/share/scap-security-guide/bash/ssg-rhel7-role-nist-800-171-cui.sh
    
Offset 293, 17 lines modifiedOffset 293, 61 lines modified
  
293 }293 }
  
294 package_remove·telnet-server294 package_remove·telnet-server
295 #·END·fix·for·'package_telnet-server_removed'295 #·END·fix·for·'package_telnet-server_removed'
  
296 ###############################################################################296 ###############################################################################
297 #·BEGIN·fix·(10·/·358)·for·'service_ypbind_disabled'297 #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed'
298 ###############################################################################298 ###############################################################################
299 (>&2·echo·"Remediating·rule·10/358:·'service_ypbind_disabled'")299 (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'")
 300 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 301 #
 302 #·Example·Call(s):
 303 #
 304 #·····package_remove·telnet-server
 305 #
 306 function·package_remove·{
  
 307 #·Load·function·arguments·into·local·variables
 308 local·package="$1"
  
 309 #·Check·sanity·of·the·input
 310 if·[·$#·-ne·"1"·]
 311 then
 312 ··echo·"Usage:·package_remove·'package_name'"
 313 ··echo·"Aborting."
 314 ··exit·1
 315 fi
  
 316 if·which·dnf·;·then
 317 ··if·rpm·-q·--quiet·"$package";·then
 318 ····dnf·remove·-y·"$package"
 319 ··fi
 320 elif·which·yum·;·then
 321 ··if·rpm·-q·--quiet·"$package";·then
 322 ····yum·remove·-y·"$package"
 323 ··fi
 324 elif·which·apt-get·;·then
 325 ··apt-get·remove·-y·"$package"
 326 else
 327 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 328 ··echo·"Aborting."
 329 ··exit·1
 330 fi
  
 331 }
  
 332 package_remove·ypbind
 333 #·END·fix·for·'package_ypbind_removed'
  
 334 ###############################################################################
 335 #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled'
 336 ###############################################################################
 337 (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'")
300 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.338 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
301 #339 #
302 #·Example·Call(s):340 #·Example·Call(s):
303 #341 #
304 #·····service_command·enable·bluetooth342 #·····service_command·enable·bluetooth
305 #·····service_command·disable·bluetooth.service343 #·····service_command·disable·bluetooth.service
306 #344 #
Offset 375, 58 lines modifiedOffset 419, 14 lines modified
  
375 }419 }
  
376 service_command·disable·ypbind420 service_command·disable·ypbind
377 #·END·fix·for·'service_ypbind_disabled'421 #·END·fix·for·'service_ypbind_disabled'
  
378 ###############################################################################422 ###############################################################################
379 #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' 
380 ############################################################################### 
381 (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") 
382 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
383 # 
384 #·Example·Call(s): 
385 # 
386 #·····package_remove·telnet-server 
387 # 
388 function·package_remove·{ 
  
389 #·Load·function·arguments·into·local·variables 
390 local·package="$1" 
  
391 #·Check·sanity·of·the·input 
392 if·[·$#·-ne·"1"·] 
393 then 
394 ··echo·"Usage:·package_remove·'package_name'" 
395 ··echo·"Aborting." 
396 ··exit·1 
397 fi 
  
398 if·which·dnf·;·then 
399 ··if·rpm·-q·--quiet·"$package";·then 
400 ····dnf·remove·-y·"$package" 
401 ··fi 
402 elif·which·yum·;·then 
403 ··if·rpm·-q·--quiet·"$package";·then 
404 ····yum·remove·-y·"$package" 
405 ··fi 
406 elif·which·apt-get·;·then 
407 ··apt-get·remove·-y·"$package" 
408 else 
409 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
410 ··echo·"Aborting." 
411 ··exit·1 
412 fi 
  
413 } 
  
414 package_remove·ypbind 
415 #·END·fix·for·'package_ypbind_removed' 
  
416 ############################################################################### 
417 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'423 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'
418 ###############################################################################424 ###############################################################################
419 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")425 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")
420 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.426 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
421 #427 #
422 #·Example·Call(s):428 #·Example·Call(s):
423 #429 #
Offset 1428, 17 lines modifiedOffset 1428, 17 lines modified
1428 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'1428 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'
1429 ###############################################################################1429 ###############################################################################
1430 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")1430 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")
1431 #·FIX·FOR·THIS·RULE·IS·MISSING1431 #·FIX·FOR·THIS·RULE·IS·MISSING
1432 #·END·fix·for·'mount_option_nodev_remote_filesystems'1432 #·END·fix·for·'mount_option_nodev_remote_filesystems'
  
Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown.
226 KB
./usr/share/scap-security-guide/bash/ssg-rhel7-role-ospp.sh
    
Offset 304, 17 lines modifiedOffset 304, 61 lines modified
  
304 }304 }
  
305 package_remove·telnet-server305 package_remove·telnet-server
306 #·END·fix·for·'package_telnet-server_removed'306 #·END·fix·for·'package_telnet-server_removed'
  
307 ###############################################################################307 ###############################################################################
308 #·BEGIN·fix·(10·/·358)·for·'service_ypbind_disabled'308 #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed'
309 ###############################################################################309 ###############################################################################
310 (>&2·echo·"Remediating·rule·10/358:·'service_ypbind_disabled'")310 (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'")
 311 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 312 #
 313 #·Example·Call(s):
 314 #
 315 #·····package_remove·telnet-server
 316 #
 317 function·package_remove·{
  
 318 #·Load·function·arguments·into·local·variables
 319 local·package="$1"
  
 320 #·Check·sanity·of·the·input
 321 if·[·$#·-ne·"1"·]
 322 then
 323 ··echo·"Usage:·package_remove·'package_name'"
 324 ··echo·"Aborting."
 325 ··exit·1
 326 fi
  
 327 if·which·dnf·;·then
 328 ··if·rpm·-q·--quiet·"$package";·then
 329 ····dnf·remove·-y·"$package"
 330 ··fi
 331 elif·which·yum·;·then
 332 ··if·rpm·-q·--quiet·"$package";·then
 333 ····yum·remove·-y·"$package"
 334 ··fi
 335 elif·which·apt-get·;·then
 336 ··apt-get·remove·-y·"$package"
 337 else
 338 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 339 ··echo·"Aborting."
 340 ··exit·1
 341 fi
  
 342 }
  
 343 package_remove·ypbind
 344 #·END·fix·for·'package_ypbind_removed'
  
 345 ###############################################################################
 346 #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled'
 347 ###############################################################################
 348 (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'")
311 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.349 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
312 #350 #
313 #·Example·Call(s):351 #·Example·Call(s):
314 #352 #
315 #·····service_command·enable·bluetooth353 #·····service_command·enable·bluetooth
316 #·····service_command·disable·bluetooth.service354 #·····service_command·disable·bluetooth.service
317 #355 #
Offset 386, 58 lines modifiedOffset 430, 14 lines modified
  
386 }430 }
  
387 service_command·disable·ypbind431 service_command·disable·ypbind
388 #·END·fix·for·'service_ypbind_disabled'432 #·END·fix·for·'service_ypbind_disabled'
  
389 ###############################################################################433 ###############################################################################
390 #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' 
391 ############################################################################### 
392 (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") 
393 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
394 # 
395 #·Example·Call(s): 
396 # 
397 #·····package_remove·telnet-server 
398 # 
399 function·package_remove·{ 
  
400 #·Load·function·arguments·into·local·variables 
401 local·package="$1" 
  
402 #·Check·sanity·of·the·input 
403 if·[·$#·-ne·"1"·] 
404 then 
405 ··echo·"Usage:·package_remove·'package_name'" 
406 ··echo·"Aborting." 
407 ··exit·1 
408 fi 
  
409 if·which·dnf·;·then 
410 ··if·rpm·-q·--quiet·"$package";·then 
411 ····dnf·remove·-y·"$package" 
412 ··fi 
413 elif·which·yum·;·then 
414 ··if·rpm·-q·--quiet·"$package";·then 
415 ····yum·remove·-y·"$package" 
416 ··fi 
417 elif·which·apt-get·;·then 
418 ··apt-get·remove·-y·"$package" 
419 else 
420 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
421 ··echo·"Aborting." 
422 ··exit·1 
423 fi 
  
424 } 
  
425 package_remove·ypbind 
426 #·END·fix·for·'package_ypbind_removed' 
  
427 ############################################################################### 
428 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'434 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'
429 ###############################################################################435 ###############################################################################
430 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")436 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")
431 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.437 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
432 #438 #
433 #·Example·Call(s):439 #·Example·Call(s):
434 #440 #
Offset 1439, 17 lines modifiedOffset 1439, 17 lines modified
1439 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'1439 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'
1440 ###############################################################################1440 ###############################################################################
1441 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")1441 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")
1442 #·FIX·FOR·THIS·RULE·IS·MISSING1442 #·FIX·FOR·THIS·RULE·IS·MISSING
1443 #·END·fix·for·'mount_option_nodev_remote_filesystems'1443 #·END·fix·for·'mount_option_nodev_remote_filesystems'
  
Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown.
60.4 KB
./usr/share/scap-security-guide/bash/ssg-rhel7-role-pci-dss.sh
    
Offset 793, 19 lines modifiedOffset 793, 17 lines modified
793 include_dconf_settings793 include_dconf_settings
  
794 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'794 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'
795 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'795 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'
796 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'796 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'
  
797 ###############################################################################797 ###############################################################################
798 #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_idle_delay'798 #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_mode_blank'
799 ###############################################################################799 ###############################################################################
800 (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_idle_delay'")800 (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_mode_blank'")
  
801 inactivity_timeout_value="900" 
802 function·include_dconf_settings·{801 function·include_dconf_settings·{
803 »       :802 »       :
804 }803 }
  
805 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.804 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
806 #805 #
807 #·Example·Call(s):806 #·Example·Call(s):
Offset 873, 22 lines modifiedOffset 871, 24 lines modified
873 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"871 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"
874 »       fi872 »       fi
875 }873 }
  
  
876 include_dconf_settings874 include_dconf_settings
  
877 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'875 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'
878 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'876 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'
879 #·END·fix·for·'dconf_gnome_screensaver_idle_delay'877 #·END·fix·for·'dconf_gnome_screensaver_mode_blank'
  
880 ###############################################################################878 ###############################################################################
881 #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_mode_blank'879 #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_idle_delay'
882 ###############################################################################880 ###############################################################################
883 (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_mode_blank'")881 (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_idle_delay'")
  
 882 inactivity_timeout_value="900"
884 function·include_dconf_settings·{883 function·include_dconf_settings·{
885 »       :884 »       :
886 }885 }
  
887 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.886 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
888 #887 #
889 #·Example·Call(s):888 #·Example·Call(s):
Offset 956, 17 lines modifiedOffset 956, 17 lines modified
956 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"956 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"
957 »       fi957 »       fi
958 }958 }
  
  
959 include_dconf_settings959 include_dconf_settings
  
960 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'960 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'
961 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'961 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'
962 #·END·fix·for·'dconf_gnome_screensaver_mode_blank'962 #·END·fix·for·'dconf_gnome_screensaver_idle_delay'
  
963 ###############################################################################963 ###############################################################################
964 #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled'964 #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled'
965 ###############################################################################965 ###############################################################################
966 (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'")966 (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'")
967 function·include_dconf_settings·{967 function·include_dconf_settings·{
968 »       :968 »       :
Offset 2117, 72 lines modifiedOffset 2117, 72 lines modified
2117 ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG2117 ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG
2118 if·!·[·$?·-eq·0·];·then2118 if·!·[·$?·-eq·0·];·then
2119 ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG2119 ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG
2120 fi2120 fi
2121 #·END·fix·for·'auditd_data_retention_action_mail_acct'2121 #·END·fix·for·'auditd_data_retention_action_mail_acct'
  
2122 ###############################################################################2122 ###############################################################################
2123 #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_space_left_action'2123 #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_admin_space_left_action'
2124 ###############################################################################2124 ###############################################################################
2125 (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_space_left_action'")2125 (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_admin_space_left_action'")
  
2126 var_auditd_space_left_action="suspend" 
  
2127 grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\ 
2128 ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf 
2129 if·!·[·$?·-eq·0·];·then 
2130 ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf 
2131 fi 
2132 #·END·fix·for·'auditd_data_retention_space_left_action' 
  
2133 ############################################################################### 
2134 #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_admin_space_left_action' 
2135 ############################################################################### 
2136 (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_admin_space_left_action'") 
  
2137 var_auditd_admin_space_left_action="suspend"2126 var_auditd_admin_space_left_action="suspend"
  
2138 grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\2127 grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\
2139 ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf2128 ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf
2140 if·!·[·$?·-eq·0·];·then2129 if·!·[·$?·-eq·0·];·then
2141 ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf2130 ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf
2142 fi2131 fi
2143 #·END·fix·for·'auditd_data_retention_admin_space_left_action'2132 #·END·fix·for·'auditd_data_retention_admin_space_left_action'
  
2144 ###############################################################################2133 ###############################################################################
2145 #·BEGIN·fix·(50·/·94)·for·'auditd_data_retention_num_logs'2134 #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_max_log_file_action'
2146 ###############################################################################2135 ###############################################################################
2147 (>&2·echo·"Remediating·rule·50/94:·'auditd_data_retention_num_logs'")2136 (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_max_log_file_action'")
  
2148 var_auditd_num_logs="5"2137 var_auditd_max_log_file_action="rotate"
  
2149 AUDITCONFIG=/etc/audit/auditd.conf2138 AUDITCONFIG=/etc/audit/auditd.conf
  
2150 grep·-q·^num_logs·$AUDITCONFIG·&&·\2139 grep·-q·^max_log_file_action·$AUDITCONFIG·&&·\
2151 ··sed·-i·'s/^num_logs.*/num_logs·=·'"$var_auditd_num_logs"'/g'·$AUDITCONFIG2140 ··sed·-i·'s/^max_log_file_action.*/max_log_file_action·=·'"$var_auditd_max_log_file_action"'/g'·$AUDITCONFIG
2152 if·!·[·$?·-eq·0·];·then2141 if·!·[·$?·-eq·0·];·then
2153 ··echo·"num_logs·=·$var_auditd_num_logs"·>>·$AUDITCONFIG2142 ··echo·"max_log_file_action·=·$var_auditd_max_log_file_action"·>>·$AUDITCONFIG
2154 fi2143 fi
2155 #·END·fix·for·'auditd_data_retention_num_logs'2144 #·END·fix·for·'auditd_data_retention_max_log_file_action'
  
2156 ###############################################################################2145 ###############################################################################
2157 #·BEGIN·fix·(51·/·94)·for·'auditd_data_retention_max_log_file_action'2146 #·BEGIN·fix·(50·/·94)·for·'auditd_data_retention_space_left_action'
2158 ###############################################################################2147 ###############################################################################
2159 (>&2·echo·"Remediating·rule·51/94:·'auditd_data_retention_max_log_file_action'")2148 (>&2·echo·"Remediating·rule·50/94:·'auditd_data_retention_space_left_action'")
  
2160 var_auditd_max_log_file_action="rotate"2149 var_auditd_space_left_action="suspend"
  
 2150 grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\
 2151 ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf
 2152 if·!·[·$?·-eq·0·];·then
 2153 ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf
 2154 fi
 2155 #·END·fix·for·'auditd_data_retention_space_left_action'
  
Max diff block lines reached; 54266/61706 bytes (87.94%) of diff not shown.
8.83 KB
./usr/share/scap-security-guide/bash/ssg-rhel7-role-rht-ccp.sh
    
Offset 376, 17 lines modifiedOffset 376, 19 lines modified
376 ··fi376 ··fi
377 }377 }
  
378 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'378 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
379 #·END·fix·for·'sshd_set_keepalive'379 #·END·fix·for·'sshd_set_keepalive'
  
380 ###############################################################################380 ###############################################################################
381 #·BEGIN·fix·(7·/·70)·for·'sshd_enable_warning_banner'381 #·BEGIN·fix·(7·/·70)·for·'sshd_set_idle_timeout'
382 ###############################################################################382 ###############################################################################
383 (>&2·echo·"Remediating·rule·7/70:·'sshd_enable_warning_banner'")383 (>&2·echo·"Remediating·rule·7/70:·'sshd_set_idle_timeout'")
  
 384 sshd_idle_timeout_value="300"
384 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if385 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
385 #·it·does·not·exist.386 #·it·does·not·exist.
386 #387 #
387 #·Expects·arguments:388 #·Expects·arguments:
388 #389 #
389 #·config_file:»  »  Configuration·file·that·will·be·modified390 #·config_file:»  »  Configuration·file·that·will·be·modified
390 #·key:»  »  »  Configuration·option·to·change391 #·key:»  »  »  Configuration·option·to·change
Offset 457, 21 lines modifiedOffset 459, 21 lines modified
457 ··else459 ··else
458 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline460 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
459 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"461 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
460 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"462 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
461 ··fi463 ··fi
462 }464 }
  
463 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'465 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
464 #·END·fix·for·'sshd_enable_warning_banner'466 #·END·fix·for·'sshd_set_idle_timeout'
  
465 ###############################################################################467 ###############################################################################
466 #·BEGIN·fix·(8·/·70)·for·'sshd_do_not_permit_user_env'468 #·BEGIN·fix·(8·/·70)·for·'sshd_enable_warning_banner'
467 ###############################################################################469 ###############################################################################
468 (>&2·echo·"Remediating·rule·8/70:·'sshd_do_not_permit_user_env'")470 (>&2·echo·"Remediating·rule·8/70:·'sshd_enable_warning_banner'")
469 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if471 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
470 #·it·does·not·exist.472 #·it·does·not·exist.
471 #473 #
472 #·Expects·arguments:474 #·Expects·arguments:
473 #475 #
474 #·config_file:»  »  Configuration·file·that·will·be·modified476 #·config_file:»  »  Configuration·file·that·will·be·modified
475 #·key:»  »  »  Configuration·option·to·change477 #·key:»  »  »  Configuration·option·to·change
Offset 542, 16 lines modifiedOffset 544, 16 lines modified
542 ··else544 ··else
543 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline545 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
544 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"546 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
545 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"547 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
546 ··fi548 ··fi
547 }549 }
  
548 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'550 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'
549 #·END·fix·for·'sshd_do_not_permit_user_env'551 #·END·fix·for·'sshd_enable_warning_banner'
  
550 ###############################################################################552 ###############################################################################
551 #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2'553 #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2'
552 ###############################################################################554 ###############################################################################
553 (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'")555 (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'")
554 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if556 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
555 #·it·does·not·exist.557 #·it·does·not·exist.
Offset 716, 19 lines modifiedOffset 718, 17 lines modified
716 ··fi718 ··fi
717 }719 }
  
718 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'720 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'
719 #·END·fix·for·'sshd_disable_rhosts'721 #·END·fix·for·'sshd_disable_rhosts'
  
720 ###############################################################################722 ###############################################################################
721 #·BEGIN·fix·(11·/·70)·for·'sshd_set_idle_timeout'723 #·BEGIN·fix·(11·/·70)·for·'sshd_do_not_permit_user_env'
722 ###############################################################################724 ###############################################################################
723 (>&2·echo·"Remediating·rule·11/70:·'sshd_set_idle_timeout'")725 (>&2·echo·"Remediating·rule·11/70:·'sshd_do_not_permit_user_env'")
  
724 sshd_idle_timeout_value="300" 
725 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if726 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
726 #·it·does·not·exist.727 #·it·does·not·exist.
727 #728 #
728 #·Expects·arguments:729 #·Expects·arguments:
729 #730 #
730 #·config_file:»  »  Configuration·file·that·will·be·modified731 #·config_file:»  »  Configuration·file·that·will·be·modified
731 #·key:»  »  »  Configuration·option·to·change732 #·key:»  »  »  Configuration·option·to·change
Offset 799, 16 lines modifiedOffset 799, 16 lines modified
799 ··else799 ··else
800 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline800 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
801 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"801 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
802 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"802 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
803 ··fi803 ··fi
804 }804 }
  
805 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'805 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'
806 #·END·fix·for·'sshd_set_idle_timeout'806 #·END·fix·for·'sshd_do_not_permit_user_env'
  
807 ###############################################################################807 ###############################################################################
808 #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers'808 #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers'
809 ###############################################################################809 ###############################################################################
810 (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'")810 (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'")
811 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if811 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
812 #·it·does·not·exist.812 #·it·does·not·exist.
Offset 1502, 26 lines modifiedOffset 1502, 26 lines modified
1502 ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs1502 ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs
1503 if·!·[·$?·-eq·0·];·then1503 if·!·[·$?·-eq·0·];·then
1504 ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs1504 ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs
1505 fi1505 fi
1506 #·END·fix·for·'accounts_minimum_age_login_defs'1506 #·END·fix·for·'accounts_minimum_age_login_defs'
  
1507 ###############################################################################1507 ###############################################################################
1508 #·BEGIN·fix·(34·/·70)·for·'accounts_no_uid_except_zero'1508 #·BEGIN·fix·(34·/·70)·for·'no_shelllogin_for_systemaccounts'
1509 ###############################################################################1509 ###############################################################################
1510 (>&2·echo·"Remediating·rule·34/70:·'accounts_no_uid_except_zero'")1510 (>&2·echo·"Remediating·rule·34/70:·'no_shelllogin_for_systemaccounts'")
1511 awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l1511 #·FIX·FOR·THIS·RULE·IS·MISSING
1512 #·END·fix·for·'accounts_no_uid_except_zero'1512 #·END·fix·for·'no_shelllogin_for_systemaccounts'
  
1513 ###############################################################################1513 ###############################################################################
1514 #·BEGIN·fix·(35·/·70)·for·'no_shelllogin_for_systemaccounts'1514 #·BEGIN·fix·(35·/·70)·for·'accounts_no_uid_except_zero'
1515 ###############################################################################1515 ###############################################################################
1516 (>&2·echo·"Remediating·rule·35/70:·'no_shelllogin_for_systemaccounts'")1516 (>&2·echo·"Remediating·rule·35/70:·'accounts_no_uid_except_zero'")
1517 #·FIX·FOR·THIS·RULE·IS·MISSING1517 awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l
1518 #·END·fix·for·'no_shelllogin_for_systemaccounts'1518 #·END·fix·for·'accounts_no_uid_except_zero'
  
1519 ###############################################################################1519 ###############################################################################
1520 #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed'1520 #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed'
1521 ###############################################################################1521 ###############################################################################
1522 (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'")1522 (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'")
1523 #·FIX·FOR·THIS·RULE·IS·MISSING1523 #·FIX·FOR·THIS·RULE·IS·MISSING
1524 #·END·fix·for·'accounts_password_all_shadowed'1524 #·END·fix·for·'accounts_password_all_shadowed'
Offset 2267, 37 lines modifiedOffset 2267, 37 lines modified
2267 ###############################################################################2267 ###############################################################################
2268 (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'")2268 (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'")
  
2269 chmod·0644·/etc/passwd2269 chmod·0644·/etc/passwd
Max diff block lines reached; 1963/8920 bytes (22.01%) of diff not shown.
53.2 KB
./usr/share/scap-security-guide/bash/ssg-rhel7-role-standard.sh
    
Offset 1476, 158 lines modifiedOffset 1476, 17 lines modified
1476 }1476 }
  
1477 fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules"1477 fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules"
1478 fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules"1478 fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules"
1479 #·END·fix·for·'audit_rules_kernel_module_loading'1479 #·END·fix·for·'audit_rules_kernel_module_loading'
  
1480 ###############################################################################1480 ###############################################################################
1481 #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_watch_localtime'1481 #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_stime'
1482 ###############################################################################1482 ###############################################################################
1483 (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_watch_localtime'")1483 (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_stime'")
  
  
1484 #·Perform·the·remediation·for·both·possible·tools:·'auditctl'·and·'augenrules' 
1485 #·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: 
1486 #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements 
1487 #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect 
1488 #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules 
1489 # 
1490 #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: 
1491 #·*·audit·tool»    »    »    »    tool·used·to·load·audit·rules, 
1492 #·»      »      »      »      »      either·'auditctl',·or·'augenrules' 
1493 #·*·path························» value·of·-w·audit·rule's·argument 
1494 #·*·required·access·bits········»   value·of·-p·audit·rule's·argument 
1495 #·*·key·························»  value·of·-k·audit·rule's·argument 
1496 # 
1497 #·Example·call: 
1498 # 
1499 #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" 
1500 # 
1501 function·fix_audit_watch_rule·{ 
  
1502 #·Load·function·arguments·into·local·variables 
1503 local·tool="$1" 
1504 local·path="$2" 
1505 local·required_access_bits="$3" 
1506 local·key="$4" 
  
1507 #·Check·sanity·of·the·input 
1508 if·[·$#·-ne·"4"·] 
1509 then 
1510 »       echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" 
1511 »       echo·"Aborting." 
1512 »       exit·1 
1513 fi 
  
1514 #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness 
1515 #·of·a·particular·audit·rule.·The·scheme·is·as·follows: 
1516 # 
1517 #·----------------------------------------------------------------------------------------- 
1518 #·Tool·used·to·load·audit·rules»      |·Rule·already·defined»   |··Audit·rules·file·to·inspect»   ··| 
1519 #·----------------------------------------------------------------------------------------- 
1520 #»      auditctl»      »      |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| 
1521 #·----------------------------------------------------------------------------------------- 
1522 #·»      augenrules»    »    |··········Yes»»|··/etc/audit/rules.d/*.rules»     ··| 
1523 #·»      augenrules»    »    |··········No» » |··/etc/audit/rules.d/$key.rules··| 
1524 #·----------------------------------------------------------------------------------------- 
1525 declare·-a·files_to_inspect 
  
1526 #·Check·sanity·of·the·specified·audit·tool 
1527 if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] 
1528 then 
1529 »       echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." 
1530 »       echo·"Use·either·'auditctl'·or·'augenrules'!" 
1531 »       exit·1 
1532 #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' 
1533 #·into·the·list·of·files·to·be·inspected 
1534 elif·[·"$tool"·==·'auditctl'·] 
1535 then 
1536 »       files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') 
1537 #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined 
1538 #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. 
1539 #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. 
1540 elif·[·"$tool"·==·'augenrules'·] 
1541 then 
1542 »       #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file 
1543 »       #·Get·pair·--·filepath·:·matching_row·into·@matches·array 
1544 »       IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) 
1545 »       #·Reset·IFS·back·to·default 
1546 »       unset·IFS 
1547 »       #·For·each·of·the·matched·entries 
1548 »       for·match·in·"${matches[@]}" 
1549 »       do 
1550 »       »       #·Extract·filepath·from·the·match 
1551 »       »       rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') 
1552 »       »       #·Append·that·path·into·list·of·files·for·inspection 
1553 »       »       files_to_inspect=("${files_to_inspect[@]}"·"$rulesd_audit_file") 
1554 »       done 
1555 »       #·Case·when·particular·audit·rule·isn't·defined·yet 
1556 »       if·[·${#files_to_inspect[@]}·-eq·"0"·] 
1557 »       then 
1558 »       »       #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection 
1559 »       »       files_to_inspect="/etc/audit/rules.d/$key.rules" 
1560 »       »       #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions 
1561 »       »       if·[·!·-e·"$files_to_inspect"·] 
1562 »       »       then 
1563 »       »       »       touch·"$files_to_inspect" 
1564 »       »       »       chmod·0640·"$files_to_inspect" 
1565 »       »       fi 
1566 »       fi 
1567 fi 
  
1568 #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule 
1569 #·correction·for·each·of·the·files·previously·identified·for·inspection 
1570 for·audit_rules_file·in·"${files_to_inspect[@]}" 
1571 do 
  
1572 »       #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present 
1573 »       if·grep·-q·-P·--·"[\s]*-w[\s]+$path"·"$audit_rules_file" 
1574 »       then 
1575 »       »       #·Rule·is·found·=>·verify·yet·if·existing·rule·definition·contains 
1576 »       »       #·all·of·the·required·access·type·bits 
  
1577 »       »       #·Escape·slashes·in·path·for·use·in·sed·pattern·below 
1578 »       »       local·esc_path=${path//$'/'/$'\/'} 
1579 »       »       #·Define·BRE·whitespace·class·shortcut 
1580 »       »       local·sp="[[:space:]]" 
1581 »       »       #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule 
1582 »       »       current_access_bits=$(sed·-ne·"s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p"·"$audit_rules_file") 
1583 »       »       #·Split·required·access·bits·string·into·characters·array 
1584 »       »       #·(to·check·bit's·presence·for·one·bit·at·a·time) 
1585 »       »       for·access_bit·in·$(echo·"$required_access_bits"·|·grep·-o·.) 
1586 »       »       do 
1587 »       »       »       #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check 
1588 »       »       »       #·if·they·are·already·present·in·current·access·bits·for·rule. 
1589 »       »       »       #·If·not,·append·that·bit·at·the·end 
1590 »       »       »       if·!·grep·-q·"$access_bit"·<<<·"$current_access_bits" 
1591 »       »       »       then 
Max diff block lines reached; 47569/54366 bytes (87.50%) of diff not shown.
126 KB
./usr/share/scap-security-guide/bash/ssg-rhel7-role-stig-rhel7-disa.sh
    
Offset 496, 17 lines modifiedOffset 496, 17 lines modified
496 #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems'496 #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems'
497 ###############################################################################497 ###############################################################################
498 (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'")498 (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'")
499 #·FIX·FOR·THIS·RULE·IS·MISSING499 #·FIX·FOR·THIS·RULE·IS·MISSING
500 #·END·fix·for·'mount_option_nosuid_remote_filesystems'500 #·END·fix·for·'mount_option_nosuid_remote_filesystems'
  
501 ###############################################################################501 ###############################################################################
502 #·BEGIN·fix·(23·/·243)·for·'sshd_disable_user_known_hosts'502 #·BEGIN·fix·(23·/·243)·for·'sshd_enable_strictmodes'
503 ###############################################################################503 ###############################################################################
504 (>&2·echo·"Remediating·rule·23/243:·'sshd_disable_user_known_hosts'")504 (>&2·echo·"Remediating·rule·23/243:·'sshd_enable_strictmodes'")
505 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if505 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
506 #·it·does·not·exist.506 #·it·does·not·exist.
507 #507 #
508 #·Expects·arguments:508 #·Expects·arguments:
509 #509 #
510 #·config_file:»  »  Configuration·file·that·will·be·modified510 #·config_file:»  »  Configuration·file·that·will·be·modified
511 #·key:»  »  »  Configuration·option·to·change511 #·key:»  »  »  Configuration·option·to·change
Offset 577, 21 lines modifiedOffset 577, 21 lines modified
577 ··else577 ··else
578 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline578 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
579 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"579 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
580 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"580 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
581 ··fi581 ··fi
582 }582 }
  
583 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreUserKnownHosts'·'yes'·'CCE-80372-6'·'%s·%s'583 replace_or_append·'/etc/ssh/sshd_config'·'^StrictModes'·'yes'·'CCE-80222-3'·'%s·%s'
584 #·END·fix·for·'sshd_disable_user_known_hosts'584 #·END·fix·for·'sshd_enable_strictmodes'
  
585 ###############################################################################585 ###############################################################################
586 #·BEGIN·fix·(24·/·243)·for·'sshd_disable_empty_passwords'586 #·BEGIN·fix·(24·/·243)·for·'sshd_disable_user_known_hosts'
587 ###############################################################################587 ###############################################################################
588 (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_empty_passwords'")588 (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_user_known_hosts'")
589 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if589 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
590 #·it·does·not·exist.590 #·it·does·not·exist.
591 #591 #
592 #·Expects·arguments:592 #·Expects·arguments:
593 #593 #
594 #·config_file:»  »  Configuration·file·that·will·be·modified594 #·config_file:»  »  Configuration·file·that·will·be·modified
595 #·key:»  »  »  Configuration·option·to·change595 #·key:»  »  »  Configuration·option·to·change
Offset 662, 21 lines modifiedOffset 662, 21 lines modified
662 ··else662 ··else
663 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline663 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
664 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"664 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
665 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"665 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
666 ··fi666 ··fi
667 }667 }
  
668 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'668 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreUserKnownHosts'·'yes'·'CCE-80372-6'·'%s·%s'
669 #·END·fix·for·'sshd_disable_empty_passwords'669 #·END·fix·for·'sshd_disable_user_known_hosts'
  
670 ###############################################################################670 ###############################################################################
671 #·BEGIN·fix·(25·/·243)·for·'sshd_set_keepalive'671 #·BEGIN·fix·(25·/·243)·for·'sshd_disable_empty_passwords'
672 ###############################################################################672 ###############################################################################
673 (>&2·echo·"Remediating·rule·25/243:·'sshd_set_keepalive'")673 (>&2·echo·"Remediating·rule·25/243:·'sshd_disable_empty_passwords'")
674 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if674 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
675 #·it·does·not·exist.675 #·it·does·not·exist.
676 #676 #
677 #·Expects·arguments:677 #·Expects·arguments:
678 #678 #
679 #·config_file:»  »  Configuration·file·that·will·be·modified679 #·config_file:»  »  Configuration·file·that·will·be·modified
680 #·key:»  »  »  Configuration·option·to·change680 #·key:»  »  »  Configuration·option·to·change
Offset 747, 21 lines modifiedOffset 747, 21 lines modified
747 ··else747 ··else
748 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline748 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
749 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"749 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
750 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"750 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
751 ··fi751 ··fi
752 }752 }
  
753 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'753 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'
754 #·END·fix·for·'sshd_set_keepalive'754 #·END·fix·for·'sshd_disable_empty_passwords'
  
755 ###############################################################################755 ###############################################################################
756 #·BEGIN·fix·(26·/·243)·for·'sshd_disable_rhosts_rsa'756 #·BEGIN·fix·(26·/·243)·for·'sshd_set_keepalive'
757 ###############################################################################757 ###############################################################################
758 (>&2·echo·"Remediating·rule·26/243:·'sshd_disable_rhosts_rsa'")758 (>&2·echo·"Remediating·rule·26/243:·'sshd_set_keepalive'")
759 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if759 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
760 #·it·does·not·exist.760 #·it·does·not·exist.
761 #761 #
762 #·Expects·arguments:762 #·Expects·arguments:
763 #763 #
764 #·config_file:»  »  Configuration·file·that·will·be·modified764 #·config_file:»  »  Configuration·file·that·will·be·modified
765 #·key:»  »  »  Configuration·option·to·change765 #·key:»  »  »  Configuration·option·to·change
Offset 832, 21 lines modifiedOffset 832, 23 lines modified
832 ··else832 ··else
833 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline833 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
834 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"834 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
835 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"835 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
836 ··fi836 ··fi
837 }837 }
  
838 replace_or_append·'/etc/ssh/sshd_config'·'^RhostsRSAAuthentication'·'no'·'CCE-80373-4'·'%s·%s'838 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
839 #·END·fix·for·'sshd_disable_rhosts_rsa'839 #·END·fix·for·'sshd_set_keepalive'
  
840 ###############################################################################840 ###############################################################################
841 #·BEGIN·fix·(27·/·243)·for·'sshd_enable_warning_banner'841 #·BEGIN·fix·(27·/·243)·for·'sshd_set_idle_timeout'
842 ###############################################################################842 ###############################################################################
843 (>&2·echo·"Remediating·rule·27/243:·'sshd_enable_warning_banner'")843 (>&2·echo·"Remediating·rule·27/243:·'sshd_set_idle_timeout'")
  
 844 sshd_idle_timeout_value="600"
844 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if845 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
845 #·it·does·not·exist.846 #·it·does·not·exist.
846 #847 #
847 #·Expects·arguments:848 #·Expects·arguments:
848 #849 #
849 #·config_file:»  »  Configuration·file·that·will·be·modified850 #·config_file:»  »  Configuration·file·that·will·be·modified
850 #·key:»  »  »  Configuration·option·to·change851 #·key:»  »  »  Configuration·option·to·change
Offset 917, 23 lines modifiedOffset 919, 21 lines modified
917 ··else919 ··else
918 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline920 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
919 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"921 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
920 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"922 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
921 ··fi923 ··fi
922 }924 }
  
923 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'925 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
924 #·END·fix·for·'sshd_enable_warning_banner'926 #·END·fix·for·'sshd_set_idle_timeout'
  
925 ###############################################################################927 ###############################################################################
926 #·BEGIN·fix·(28·/·243)·for·'sshd_use_approved_macs'928 #·BEGIN·fix·(28·/·243)·for·'sshd_enable_warning_banner'
927 ###############################################################################929 ###############################################################################
928 (>&2·echo·"Remediating·rule·28/243:·'sshd_use_approved_macs'")930 (>&2·echo·"Remediating·rule·28/243:·'sshd_enable_warning_banner'")
  
929 sshd_approved_macs="hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com" 
930 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if931 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
931 #·it·does·not·exist.932 #·it·does·not·exist.
932 #933 #
Max diff block lines reached; 122126/129181 bytes (94.54%) of diff not shown.
329 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-C2S.sh
    
Offset 27, 17 lines modifiedOffset 27, 17 lines modified
27 #27 #
28 #·How·to·apply·this·remediation·role:28 #·How·to·apply·this·remediation·role:
29 #·$·sudo·./remediation-role.sh29 #·$·sudo·./remediation-role.sh
30 #30 #
31 ###############################################################################31 ###############################################################################
  
32 ###############################################################################32 ###############################################################################
33 #·BEGIN·fix·(1·/·188)·for·'package_samba_removed'33 #·BEGIN·fix·(1·/·188)·for·'package_vsftpd_removed'
34 ###############################################################################34 ###############################################################################
35 (>&2·echo·"Remediating·rule·1/188:·'package_samba_removed'")35 (>&2·echo·"Remediating·rule·1/188:·'package_vsftpd_removed'")
36 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.36 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
37 #37 #
38 #·Example·Call(s):38 #·Example·Call(s):
39 #39 #
40 #·····package_remove·telnet-server40 #·····package_remove·telnet-server
41 #41 #
42 function·package_remove·{42 function·package_remove·{
Offset 67, 16 lines modifiedOffset 67, 16 lines modified
67 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"67 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
68 ··echo·"Aborting."68 ··echo·"Aborting."
69 ··exit·169 ··exit·1
70 fi70 fi
  
71 }71 }
  
72 package_remove·samba72 package_remove·vsftpd
73 #·END·fix·for·'package_samba_removed'73 #·END·fix·for·'package_vsftpd_removed'
  
74 ###############################################################################74 ###############################################################################
75 #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed'75 #·BEGIN·fix·(2·/·188)·for·'package_httpd_removed'
76 ###############################################################################76 ###############################################################################
77 (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'")77 (>&2·echo·"Remediating·rule·2/188:·'package_httpd_removed'")
78 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.78 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
79 #79 #
Offset 115, 24 lines modifiedOffset 115, 61 lines modified
  
115 }115 }
  
116 package_remove·httpd116 package_remove·httpd
117 #·END·fix·for·'package_httpd_removed'117 #·END·fix·for·'package_httpd_removed'
  
118 ###############################################################################118 ###############################################################################
119 #·BEGIN·fix·(3·/·188)·for·'postfix_network_listening_disabled'119 #·BEGIN·fix·(3·/·188)·for·'package_bind_removed'
120 ###############################################################################120 ###############################################################################
121 (>&2·echo·"Remediating·rule·3/188:·'postfix_network_listening_disabled'")121 (>&2·echo·"Remediating·rule·3/188:·'package_bind_removed'")
122 #·FIX·FOR·THIS·RULE·IS·MISSING122 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
123 #·END·fix·for·'postfix_network_listening_disabled'123 #
 124 #·Example·Call(s):
 125 #
 126 #·····package_remove·telnet-server
 127 #
 128 function·package_remove·{
  
 129 #·Load·function·arguments·into·local·variables
 130 local·package="$1"
  
 131 #·Check·sanity·of·the·input
 132 if·[·$#·-ne·"1"·]
 133 then
 134 ··echo·"Usage:·package_remove·'package_name'"
 135 ··echo·"Aborting."
 136 ··exit·1
 137 fi
  
 138 if·which·dnf·;·then
 139 ··if·rpm·-q·--quiet·"$package";·then
 140 ····dnf·remove·-y·"$package"
 141 ··fi
 142 elif·which·yum·;·then
 143 ··if·rpm·-q·--quiet·"$package";·then
 144 ····yum·remove·-y·"$package"
 145 ··fi
 146 elif·which·apt-get·;·then
 147 ··apt-get·remove·-y·"$package"
 148 else
 149 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 150 ··echo·"Aborting."
 151 ··exit·1
 152 fi
  
 153 }
  
 154 package_remove·bind
 155 #·END·fix·for·'package_bind_removed'
  
124 ###############################################################################156 ###############################################################################
125 #·BEGIN·fix·(4·/·188)·for·'package_dhcp_removed'157 #·BEGIN·fix·(4·/·188)·for·'package_samba_removed'
126 ###############################################################################158 ###############################################################################
127 (>&2·echo·"Remediating·rule·4/188:·'package_dhcp_removed'")159 (>&2·echo·"Remediating·rule·4/188:·'package_samba_removed'")
128 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.160 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
129 #161 #
130 #·Example·Call(s):162 #·Example·Call(s):
131 #163 #
132 #·····package_remove·telnet-server164 #·····package_remove·telnet-server
133 #165 #
134 function·package_remove·{166 function·package_remove·{
Offset 162, 16 lines modifiedOffset 199, 16 lines modified
162 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"199 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
163 ··echo·"Aborting."200 ··echo·"Aborting."
164 ··exit·1201 ··exit·1
165 fi202 fi
  
166 }203 }
  
167 package_remove·dhcp204 package_remove·samba
168 #·END·fix·for·'package_dhcp_removed'205 #·END·fix·for·'package_samba_removed'
  
169 ###############################################################################206 ###############################################################################
170 #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled'207 #·BEGIN·fix·(5·/·188)·for·'service_ntpd_enabled'
171 ###############################################################################208 ###############################################################################
172 (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'")209 (>&2·echo·"Remediating·rule·5/188:·'service_ntpd_enabled'")
173 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.210 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
174 #211 #
Offset 262, 17 lines modifiedOffset 299, 105 lines modified
262 #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server'299 #·BEGIN·fix·(7·/·188)·for·'ntpd_specify_remote_server'
263 ###############################################################################300 ###############################################################################
264 (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'")301 (>&2·echo·"Remediating·rule·7/188:·'ntpd_specify_remote_server'")
265 #·FIX·FOR·THIS·RULE·IS·MISSING302 #·FIX·FOR·THIS·RULE·IS·MISSING
266 #·END·fix·for·'ntpd_specify_remote_server'303 #·END·fix·for·'ntpd_specify_remote_server'
  
267 ###############################################################################304 ###############################################################################
268 #·BEGIN·fix·(8·/·188)·for·'service_cups_disabled'305 #·BEGIN·fix·(8·/·188)·for·'package_openldap-servers_removed'
269 ###############################################################################306 ###############################################################################
270 (>&2·echo·"Remediating·rule·8/188:·'service_cups_disabled'")307 (>&2·echo·"Remediating·rule·8/188:·'package_openldap-servers_removed'")
 308 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 309 #
 310 #·Example·Call(s):
Max diff block lines reached; 329997/337019 bytes (97.92%) of diff not shown.
437 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-CS2.sh
    
Offset 18, 17 lines modifiedOffset 18, 31 lines modified
18 #18 #
19 #·How·to·apply·this·remediation·role:19 #·How·to·apply·this·remediation·role:
20 #·$·sudo·./remediation-role.sh20 #·$·sudo·./remediation-role.sh
21 #21 #
22 ###############################################################################22 ###############################################################################
  
23 ###############################################################################23 ###############################################################################
24 #·BEGIN·fix·(1·/·313)·for·'service_smb_disabled'24 #·BEGIN·fix·(1·/·313)·for·'ftp_log_transactions'
25 ###############################################################################25 ###############################################################################
26 (>&2·echo·"Remediating·rule·1/313:·'service_smb_disabled'")26 (>&2·echo·"Remediating·rule·1/313:·'ftp_log_transactions'")
 27 #·FIX·FOR·THIS·RULE·IS·MISSING
 28 #·END·fix·for·'ftp_log_transactions'
  
 29 ###############################################################################
 30 #·BEGIN·fix·(2·/·313)·for·'ftp_present_banner'
 31 ###############################################################################
 32 (>&2·echo·"Remediating·rule·2/313:·'ftp_present_banner'")
 33 #·FIX·FOR·THIS·RULE·IS·MISSING
 34 #·END·fix·for·'ftp_present_banner'
  
 35 ###############################################################################
 36 #·BEGIN·fix·(3·/·313)·for·'service_vsftpd_disabled'
 37 ###############################################################################
 38 (>&2·echo·"Remediating·rule·3/313:·'service_vsftpd_disabled'")
27 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.39 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
28 #40 #
29 #·Example·Call(s):41 #·Example·Call(s):
30 #42 #
31 #·····service_command·enable·bluetooth43 #·····service_command·enable·bluetooth
32 #·····service_command·disable·bluetooth.service44 #·····service_command·disable·bluetooth.service
33 #45 #
Offset 96, 49 lines modifiedOffset 110, 60 lines modified
96 ··else110 ··else
97 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd111 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
98 ··fi112 ··fi
99 fi113 fi
  
100 }114 }
  
101 service_command·disable·smb115 service_command·disable·vsftpd
102 #·END·fix·for·'service_smb_disabled'116 #·END·fix·for·'service_vsftpd_disabled'
  
103 ###############################################################################117 ###############################################################################
104 #·BEGIN·fix·(2·/·313)·for·'smb_server_disable_root'118 #·BEGIN·fix·(4·/·313)·for·'package_vsftpd_removed'
105 ###############################################################################119 ###############################################################################
106 (>&2·echo·"Remediating·rule·2/313:·'smb_server_disable_root'")120 (>&2·echo·"Remediating·rule·4/313:·'package_vsftpd_removed'")
107 #·FIX·FOR·THIS·RULE·IS·MISSING121 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
108 #·END·fix·for·'smb_server_disable_root'122 #
 123 #·Example·Call(s):
 124 #
 125 #·····package_remove·telnet-server
 126 #
 127 function·package_remove·{
  
109 ###############################################################################128 #·Load·function·arguments·into·local·variables
110 #·BEGIN·fix·(3·/·313)·for·'require_smb_client_signing'129 local·package="$1"
111 ############################################################################### 
112 (>&2·echo·"Remediating·rule·3/313:·'require_smb_client_signing'") 
113 ###################################################################### 
114 #By·Luke·"Brisk-OH"·Brisk 
115 #luke.brisk@boeing.com·or·luke.brisk@gmail.com 
116 ###################################################################### 
  
117 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)130 #·Check·sanity·of·the·input
 131 if·[·$#·-ne·"1"·]
 132 then
 133 ··echo·"Usage:·package_remove·'package_name'"
 134 ··echo·"Aborting."
 135 ··exit·1
 136 fi
  
118 if·[·"$CLIENTSIGNING"·-eq·0·];··then137 if·which·dnf·;·then
119 »       #·Add·to·global·section138 ··if·rpm·-q·--quiet·"$package";·then
120 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf139 ····dnf·remove·-y·"$package"
 140 ··fi
 141 elif·which·yum·;·then
 142 ··if·rpm·-q·--quiet·"$package";·then
 143 ····yum·remove·-y·"$package"
 144 ··fi
 145 elif·which·apt-get·;·then
 146 ··apt-get·remove·-y·"$package"
121 else147 else
122 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf148 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 149 ··echo·"Aborting."
 150 ··exit·1
123 fi151 fi
124 #·END·fix·for·'require_smb_client_signing' 
  
125 ###############################################################################152 }
126 #·BEGIN·fix·(4·/·313)·for·'mount_option_smb_client_signing' 
127 ###############################################################################153 package_remove·vsftpd
128 (>&2·echo·"Remediating·rule·4/313:·'mount_option_smb_client_signing'")154 #·END·fix·for·'package_vsftpd_removed'
129 #·FIX·FOR·THIS·RULE·IS·MISSING 
130 #·END·fix·for·'mount_option_smb_client_signing' 
  
131 ###############################################################################155 ###############################################################################
132 #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed'156 #·BEGIN·fix·(5·/·313)·for·'package_httpd_removed'
133 ###############################################################################157 ###############################################################################
134 (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'")158 (>&2·echo·"Remediating·rule·5/313:·'package_httpd_removed'")
135 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.159 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
136 #160 #
Offset 248, 94 lines modifiedOffset 273, 183 lines modified
248 #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support'273 #·BEGIN·fix·(15·/·313)·for·'httpd_ldap_support'
249 ###############################################################################274 ###############################################################################
250 (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'")275 (>&2·echo·"Remediating·rule·15/313:·'httpd_ldap_support'")
251 #·FIX·FOR·THIS·RULE·IS·MISSING276 #·FIX·FOR·THIS·RULE·IS·MISSING
252 #·END·fix·for·'httpd_ldap_support'277 #·END·fix·for·'httpd_ldap_support'
  
253 ###############################################################################278 ###############################################################################
254 #·BEGIN·fix·(16·/·313)·for·'httpd_mime_magic'279 #·BEGIN·fix·(16·/·313)·for·'httpd_cgi_support'
255 ###############################################################################280 ###############################################################################
256 (>&2·echo·"Remediating·rule·16/313:·'httpd_mime_magic'")281 (>&2·echo·"Remediating·rule·16/313:·'httpd_cgi_support'")
257 #·FIX·FOR·THIS·RULE·IS·MISSING282 #·FIX·FOR·THIS·RULE·IS·MISSING
258 #·END·fix·for·'httpd_mime_magic'283 #·END·fix·for·'httpd_cgi_support'
  
259 ###############################################################################284 ###############################################################################
260 #·BEGIN·fix·(17·/·313)·for·'httpd_digest_authentication'285 #·BEGIN·fix·(17·/·313)·for·'httpd_url_correction'
261 ###############################################################################286 ###############################################################################
262 (>&2·echo·"Remediating·rule·17/313:·'httpd_digest_authentication'")287 (>&2·echo·"Remediating·rule·17/313:·'httpd_url_correction'")
263 #·FIX·FOR·THIS·RULE·IS·MISSING288 #·FIX·FOR·THIS·RULE·IS·MISSING
264 #·END·fix·for·'httpd_digest_authentication'289 #·END·fix·for·'httpd_url_correction'
  
265 ###############################################################################290 ###############################################################################
266 #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status'291 #·BEGIN·fix·(18·/·313)·for·'httpd_server_activity_status'
267 ###############################################################################292 ###############################################################################
268 (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'")293 (>&2·echo·"Remediating·rule·18/313:·'httpd_server_activity_status'")
269 #·FIX·FOR·THIS·RULE·IS·MISSING294 #·FIX·FOR·THIS·RULE·IS·MISSING
Max diff block lines reached; 441404/447704 bytes (98.59%) of diff not shown.
292 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-CSCF-RHEL6-MLS.sh
    
Offset 23, 46 lines modifiedOffset 23, 99 lines modified
23 #23 #
24 #·How·to·apply·this·remediation·role:24 #·How·to·apply·this·remediation·role:
25 #·$·sudo·./remediation-role.sh25 #·$·sudo·./remediation-role.sh
26 #26 #
27 ###############################################################################27 ###############################################################################
  
28 ###############################################################################28 ###############################################################################
29 #·BEGIN·fix·(1·/·215)·for·'httpd_servertokens_prod'29 #·BEGIN·fix·(1·/·215)·for·'service_vsftpd_disabled'
30 ###############################################################################30 ###############################################################################
31 (>&2·echo·"Remediating·rule·1/215:·'httpd_servertokens_prod'")31 (>&2·echo·"Remediating·rule·1/215:·'service_vsftpd_disabled'")
32 #·FIX·FOR·THIS·RULE·IS·MISSING32 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
33 #·END·fix·for·'httpd_servertokens_prod'33 #
 34 #·Example·Call(s):
 35 #
 36 #·····service_command·enable·bluetooth
 37 #·····service_command·disable·bluetooth.service
 38 #
 39 #·····Using·xinetd:
 40 #·····service_command·disable·rsh.socket·xinetd=rsh
 41 #
 42 function·service_command·{
  
34 ###############################################################################43 #·Load·function·arguments·into·local·variables
35 #·BEGIN·fix·(2·/·215)·for·'file_permissions_httpd_server_conf_files'44 local·service_state=$1
36 ###############################################################################45 local·service=$2
37 (>&2·echo·"Remediating·rule·2/215:·'file_permissions_httpd_server_conf_files'")46 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
38 chmod·0640·/etc/httpd/conf/*47 #·Check·sanity·of·the·input
39 #·END·fix·for·'file_permissions_httpd_server_conf_files'48 if·[·$#·-lt·"2"·]
 49 then
 50 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 51 ··echo
 52 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 53 ··echo·"as·the·last·argument"··
 54 ··echo·"Aborting."
 55 ··exit·1
 56 fi
  
40 ###############################################################################57 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
41 #·BEGIN·fix·(3·/·215)·for·'dir_perms_var_log_httpd'58 if·[·-f·"/usr/bin/systemctl"·]·;·then
42 ###############################################################################59 ··service_util="/usr/bin/systemctl"
43 (>&2·echo·"Remediating·rule·3/215:·'dir_perms_var_log_httpd'")60 else
44 #·FIX·FOR·THIS·RULE·IS·MISSING61 ··service_util="/sbin/service"
45 #·END·fix·for·'dir_perms_var_log_httpd'62 ··chkconfig_util="/sbin/chkconfig"
 63 fi
  
46 ###############################################################################64 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
47 #·BEGIN·fix·(4·/·215)·for·'postfix_network_listening_disabled'65 #·Otherwise,·variables·are·to·be·set·to·disable·services.
48 ###############################################################################66 if·[·"$service_state"·!=·'disable'·]·;·then
49 (>&2·echo·"Remediating·rule·4/215:·'postfix_network_listening_disabled'")67 ··service_state="enable"
50 #·FIX·FOR·THIS·RULE·IS·MISSING68 ··service_operation="start"
51 #·END·fix·for·'postfix_network_listening_disabled'69 ··chkconfig_state="on"
 70 else
 71 ··service_state="disable"
 72 ··service_operation="stop"
 73 ··chkconfig_state="off"
 74 fi
  
 75 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 76 if·[·"x$chkconfig_util"·!=·x·]·;·then
 77 ··$service_util·$service·$service_operation
 78 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 79 else
 80 ··$service_util·$service_operation·$service
 81 ··$service_util·$service_state·$service
 82 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 83 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 84 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 85 ··$service_util·reset-failed·$service
 86 fi
  
 87 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 88 #·If·empty,·then·xinetd·is·not·being·used.
 89 if·[·"x$xinetd"·!=·x·]·;·then
 90 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 91 ··if·[·"$service_operation"·=·'disable'·]·;·then
 92 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 93 ··else
 94 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 95 ··fi
 96 fi
  
 97 }
  
 98 service_command·disable·vsftpd
 99 #·END·fix·for·'service_vsftpd_disabled'
  
52 ###############################################################################100 ###############################################################################
53 #·BEGIN·fix·(5·/·215)·for·'package_sendmail_removed'101 #·BEGIN·fix·(2·/·215)·for·'package_vsftpd_removed'
54 ###############################################################################102 ###############################################################################
55 (>&2·echo·"Remediating·rule·5/215:·'package_sendmail_removed'")103 (>&2·echo·"Remediating·rule·2/215:·'package_vsftpd_removed'")
56 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.104 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
57 #105 #
58 #·Example·Call(s):106 #·Example·Call(s):
59 #107 #
60 #·····package_remove·telnet-server108 #·····package_remove·telnet-server
61 #109 #
62 function·package_remove·{110 function·package_remove·{
Offset 92, 49 lines modifiedOffset 145, 132 lines modified
92 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"145 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
93 ··echo·"Aborting."146 ··echo·"Aborting."
94 ··exit·1147 ··exit·1
95 fi148 fi
  
96 }149 }
  
97 package_remove·sendmail150 package_remove·vsftpd
98 #·END·fix·for·'package_sendmail_removed'151 #·END·fix·for·'package_vsftpd_removed'
  
99 ###############################################################################152 ###############################################################################
100 #·BEGIN·fix·(6·/·215)·for·'sysconfig_networking_bootproto_ifcfg'153 #·BEGIN·fix·(3·/·215)·for·'httpd_servertokens_prod'
101 ###############################################################################154 ###############################################################################
102 (>&2·echo·"Remediating·rule·6/215:·'sysconfig_networking_bootproto_ifcfg'")155 (>&2·echo·"Remediating·rule·3/215:·'httpd_servertokens_prod'")
103 #·FIX·FOR·THIS·RULE·IS·MISSING156 #·FIX·FOR·THIS·RULE·IS·MISSING
104 #·END·fix·for·'sysconfig_networking_bootproto_ifcfg'157 #·END·fix·for·'httpd_servertokens_prod'
  
105 ###############################################################################158 ###############################################################################
106 #·BEGIN·fix·(7·/·215)·for·'dhcp_server_deny_decline'159 #·BEGIN·fix·(4·/·215)·for·'file_permissions_httpd_server_conf_files'
107 ###############################################################################160 ###############################################################################
108 (>&2·echo·"Remediating·rule·7/215:·'dhcp_server_deny_decline'")161 (>&2·echo·"Remediating·rule·4/215:·'file_permissions_httpd_server_conf_files'")
109 #·FIX·FOR·THIS·RULE·IS·MISSING 
110 #·END·fix·for·'dhcp_server_deny_decline'162 chmod·0640·/etc/httpd/conf/*
 163 #·END·fix·for·'file_permissions_httpd_server_conf_files'
  
111 ###############################################################################164 ###############################################################################
112 #·BEGIN·fix·(8·/·215)·for·'dhcp_server_disable_ddns'165 #·BEGIN·fix·(5·/·215)·for·'dir_perms_var_log_httpd'
Max diff block lines reached; 292875/299278 bytes (97.86%) of diff not shown.
321 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-desktop.sh
    
Offset 19, 17 lines modifiedOffset 19, 17 lines modified
19 #19 #
20 #·How·to·apply·this·remediation·role:20 #·How·to·apply·this·remediation·role:
21 #·$·sudo·./remediation-role.sh21 #·$·sudo·./remediation-role.sh
22 #22 #
23 ###############################################################################23 ###############################################################################
  
24 ###############################################################################24 ###############################################################################
25 #·BEGIN·fix·(1·/·206)·for·'service_smb_disabled'25 #·BEGIN·fix·(1·/·206)·for·'service_vsftpd_disabled'
26 ###############################################################################26 ###############################################################################
27 (>&2·echo·"Remediating·rule·1/206:·'service_smb_disabled'")27 (>&2·echo·"Remediating·rule·1/206:·'service_vsftpd_disabled'")
28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
29 #29 #
30 #·Example·Call(s):30 #·Example·Call(s):
31 #31 #
32 #·····service_command·enable·bluetooth32 #·····service_command·enable·bluetooth
33 #·····service_command·disable·bluetooth.service33 #·····service_command·disable·bluetooth.service
34 #34 #
Offset 97, 47 lines modifiedOffset 97, 65 lines modified
97 ··else97 ··else
98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
99 ··fi99 ··fi
100 fi100 fi
  
101 }101 }
  
102 service_command·disable·smb102 service_command·disable·vsftpd
103 #·END·fix·for·'service_smb_disabled'103 #·END·fix·for·'service_vsftpd_disabled'
  
104 ###############################################################################104 ###############################################################################
105 #·BEGIN·fix·(2·/·206)·for·'require_smb_client_signing'105 #·BEGIN·fix·(2·/·206)·for·'package_vsftpd_removed'
106 ###############################################################################106 ###############################################################################
107 (>&2·echo·"Remediating·rule·2/206:·'require_smb_client_signing'")107 (>&2·echo·"Remediating·rule·2/206:·'package_vsftpd_removed'")
108 ######################################################################108 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
109 #By·Luke·"Brisk-OH"·Brisk109 #
110 #luke.brisk@boeing.com·or·luke.brisk@gmail.com110 #·Example·Call(s):
111 ######################################################################111 #
 112 #·····package_remove·telnet-server
 113 #
 114 function·package_remove·{
  
112 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)115 #·Load·function·arguments·into·local·variables
 116 local·package="$1"
  
113 if·[·"$CLIENTSIGNING"·-eq·0·];··then117 #·Check·sanity·of·the·input
114 »       #·Add·to·global·section118 if·[·$#·-ne·"1"·]
115 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf119 then
 120 ··echo·"Usage:·package_remove·'package_name'"
 121 ··echo·"Aborting."
 122 ··exit·1
 123 fi
  
 124 if·which·dnf·;·then
 125 ··if·rpm·-q·--quiet·"$package";·then
 126 ····dnf·remove·-y·"$package"
 127 ··fi
 128 elif·which·yum·;·then
 129 ··if·rpm·-q·--quiet·"$package";·then
 130 ····yum·remove·-y·"$package"
 131 ··fi
 132 elif·which·apt-get·;·then
 133 ··apt-get·remove·-y·"$package"
116 else134 else
117 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf135 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 136 ··echo·"Aborting."
 137 ··exit·1
118 fi138 fi
119 #·END·fix·for·'require_smb_client_signing' 
  
120 ###############################################################################139 }
121 #·BEGIN·fix·(3·/·206)·for·'mount_option_smb_client_signing' 
122 ###############################################################################140 package_remove·vsftpd
123 (>&2·echo·"Remediating·rule·3/206:·'mount_option_smb_client_signing'")141 #·END·fix·for·'package_vsftpd_removed'
124 #·FIX·FOR·THIS·RULE·IS·MISSING 
125 #·END·fix·for·'mount_option_smb_client_signing' 
  
126 ###############################################################################142 ###############################################################################
127 #·BEGIN·fix·(4·/·206)·for·'service_httpd_disabled'143 #·BEGIN·fix·(3·/·206)·for·'service_httpd_disabled'
128 ###############################################################################144 ###############################################################################
129 (>&2·echo·"Remediating·rule·4/206:·'service_httpd_disabled'")145 (>&2·echo·"Remediating·rule·3/206:·'service_httpd_disabled'")
130 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.146 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
131 #147 #
132 #·Example·Call(s):148 #·Example·Call(s):
133 #149 #
134 #·····service_command·enable·bluetooth150 #·····service_command·enable·bluetooth
135 #·····service_command·disable·bluetooth.service151 #·····service_command·disable·bluetooth.service
136 #152 #
Offset 209, 17 lines modifiedOffset 227, 17 lines modified
  
209 }227 }
  
210 service_command·disable·httpd228 service_command·disable·httpd
211 #·END·fix·for·'service_httpd_disabled'229 #·END·fix·for·'service_httpd_disabled'
  
212 ###############################################################################230 ###############################################################################
213 #·BEGIN·fix·(5·/·206)·for·'package_httpd_removed'231 #·BEGIN·fix·(4·/·206)·for·'package_httpd_removed'
214 ###############################################################################232 ###############################################################################
215 (>&2·echo·"Remediating·rule·5/206:·'package_httpd_removed'")233 (>&2·echo·"Remediating·rule·4/206:·'package_httpd_removed'")
216 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.234 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
217 #235 #
218 #·Example·Call(s):236 #·Example·Call(s):
219 #237 #
220 #·····package_remove·telnet-server238 #·····package_remove·telnet-server
221 #239 #
222 function·package_remove·{240 function·package_remove·{
Offset 253, 24 lines modifiedOffset 271, 99 lines modified
  
253 }271 }
  
254 package_remove·httpd272 package_remove·httpd
255 #·END·fix·for·'package_httpd_removed'273 #·END·fix·for·'package_httpd_removed'
  
256 ###############################################################################274 ###############################################################################
257 #·BEGIN·fix·(6·/·206)·for·'postfix_network_listening_disabled'275 #·BEGIN·fix·(5·/·206)·for·'service_named_disabled'
258 ###############################################################################276 ###############################################################################
259 (>&2·echo·"Remediating·rule·6/206:·'postfix_network_listening_disabled'")277 (>&2·echo·"Remediating·rule·5/206:·'service_named_disabled'")
260 #·FIX·FOR·THIS·RULE·IS·MISSING278 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
261 #·END·fix·for·'postfix_network_listening_disabled'279 #
 280 #·Example·Call(s):
 281 #
 282 #·····service_command·enable·bluetooth
 283 #·····service_command·disable·bluetooth.service
 284 #
 285 #·····Using·xinetd:
 286 #·····service_command·disable·rsh.socket·xinetd=rsh
 287 #
 288 function·service_command·{
  
Max diff block lines reached; 321323/328772 bytes (97.73%) of diff not shown.
325 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-fisma-medium-rhel6-server.sh
    
Offset 114, 17 lines modifiedOffset 114, 181 lines modified
114 #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server'114 #·BEGIN·fix·(3·/·211)·for·'ntpd_specify_remote_server'
115 ###############################################################################115 ###############################################################################
116 (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'")116 (>&2·echo·"Remediating·rule·3/211:·'ntpd_specify_remote_server'")
117 #·FIX·FOR·THIS·RULE·IS·MISSING117 #·FIX·FOR·THIS·RULE·IS·MISSING
118 #·END·fix·for·'ntpd_specify_remote_server'118 #·END·fix·for·'ntpd_specify_remote_server'
  
119 ###############################################################################119 ###############################################################################
120 #·BEGIN·fix·(4·/·211)·for·'package_rsh_removed'120 #·BEGIN·fix·(4·/·211)·for·'service_crond_enabled'
121 ###############################################################################121 ###############################################################################
122 (>&2·echo·"Remediating·rule·4/211:·'package_rsh_removed'")122 (>&2·echo·"Remediating·rule·4/211:·'service_crond_enabled'")
 123 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 124 #
 125 #·Example·Call(s):
 126 #
 127 #·····service_command·enable·bluetooth
 128 #·····service_command·disable·bluetooth.service
 129 #
 130 #·····Using·xinetd:
 131 #·····service_command·disable·rsh.socket·xinetd=rsh
 132 #
 133 function·service_command·{
  
 134 #·Load·function·arguments·into·local·variables
 135 local·service_state=$1
 136 local·service=$2
 137 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 138 #·Check·sanity·of·the·input
 139 if·[·$#·-lt·"2"·]
 140 then
 141 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 142 ··echo
 143 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 144 ··echo·"as·the·last·argument"··
 145 ··echo·"Aborting."
 146 ··exit·1
 147 fi
  
 148 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 149 if·[·-f·"/usr/bin/systemctl"·]·;·then
 150 ··service_util="/usr/bin/systemctl"
 151 else
 152 ··service_util="/sbin/service"
 153 ··chkconfig_util="/sbin/chkconfig"
 154 fi
  
 155 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 156 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 157 if·[·"$service_state"·!=·'disable'·]·;·then
 158 ··service_state="enable"
 159 ··service_operation="start"
 160 ··chkconfig_state="on"
 161 else
 162 ··service_state="disable"
 163 ··service_operation="stop"
 164 ··chkconfig_state="off"
 165 fi
  
 166 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 167 if·[·"x$chkconfig_util"·!=·x·]·;·then
 168 ··$service_util·$service·$service_operation
 169 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 170 else
 171 ··$service_util·$service_operation·$service
 172 ··$service_util·$service_state·$service
 173 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 174 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 175 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 176 ··$service_util·reset-failed·$service
 177 fi
  
 178 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 179 #·If·empty,·then·xinetd·is·not·being·used.
 180 if·[·"x$xinetd"·!=·x·]·;·then
 181 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 182 ··if·[·"$service_operation"·=·'disable'·]·;·then
 183 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 184 ··else
 185 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 186 ··fi
 187 fi
  
 188 }
  
 189 service_command·enable·crond
 190 #·END·fix·for·'service_crond_enabled'
  
 191 ###############################################################################
 192 #·BEGIN·fix·(5·/·211)·for·'service_atd_disabled'
 193 ###############################################################################
 194 (>&2·echo·"Remediating·rule·5/211:·'service_atd_disabled'")
 195 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 196 #
 197 #·Example·Call(s):
 198 #
 199 #·····service_command·enable·bluetooth
 200 #·····service_command·disable·bluetooth.service
 201 #
 202 #·····Using·xinetd:
 203 #·····service_command·disable·rsh.socket·xinetd=rsh
 204 #
 205 function·service_command·{
  
 206 #·Load·function·arguments·into·local·variables
 207 local·service_state=$1
 208 local·service=$2
 209 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 210 #·Check·sanity·of·the·input
 211 if·[·$#·-lt·"2"·]
 212 then
 213 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 214 ··echo
 215 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 216 ··echo·"as·the·last·argument"··
 217 ··echo·"Aborting."
 218 ··exit·1
 219 fi
  
 220 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 221 if·[·-f·"/usr/bin/systemctl"·]·;·then
 222 ··service_util="/usr/bin/systemctl"
 223 else
 224 ··service_util="/sbin/service"
 225 ··chkconfig_util="/sbin/chkconfig"
 226 fi
Max diff block lines reached; 326691/332694 bytes (98.20%) of diff not shown.
286 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-ftp-server.sh
    
Offset 18, 17 lines modifiedOffset 18, 96 lines modified
18 #18 #
19 #·How·to·apply·this·remediation·role:19 #·How·to·apply·this·remediation·role:
20 #·$·sudo·./remediation-role.sh20 #·$·sudo·./remediation-role.sh
21 #21 #
22 ###############################################################################22 ###############################################################################
  
23 ###############################################################################23 ###############################################################################
24 #·BEGIN·fix·(1·/·192)·for·'require_smb_client_signing'24 #·BEGIN·fix·(1·/·192)·for·'ftp_restrict_to_anon'
25 ###############################################################################25 ###############################################################################
26 (>&2·echo·"Remediating·rule·1/192:·'require_smb_client_signing'")26 (>&2·echo·"Remediating·rule·1/192:·'ftp_restrict_to_anon'")
 27 #·FIX·FOR·THIS·RULE·IS·MISSING
 28 #·END·fix·for·'ftp_restrict_to_anon'
  
 29 ###############################################################################
 30 #·BEGIN·fix·(2·/·192)·for·'ftp_home_partition'
 31 ###############################################################################
 32 (>&2·echo·"Remediating·rule·2/192:·'ftp_home_partition'")
 33 #·FIX·FOR·THIS·RULE·IS·MISSING
 34 #·END·fix·for·'ftp_home_partition'
  
 35 ###############################################################################
 36 #·BEGIN·fix·(3·/·192)·for·'ftp_log_transactions'
 37 ###############################################################################
 38 (>&2·echo·"Remediating·rule·3/192:·'ftp_log_transactions'")
 39 #·FIX·FOR·THIS·RULE·IS·MISSING
 40 #·END·fix·for·'ftp_log_transactions'
  
 41 ###############################################################################
 42 #·BEGIN·fix·(4·/·192)·for·'ftp_disable_uploads'
 43 ###############################################################################
 44 (>&2·echo·"Remediating·rule·4/192:·'ftp_disable_uploads'")
 45 #·FIX·FOR·THIS·RULE·IS·MISSING
 46 #·END·fix·for·'ftp_disable_uploads'
  
 47 ###############################################################################
 48 #·BEGIN·fix·(5·/·192)·for·'ftp_present_banner'
 49 ###############################################################################
 50 (>&2·echo·"Remediating·rule·5/192:·'ftp_present_banner'")
 51 #·FIX·FOR·THIS·RULE·IS·MISSING
 52 #·END·fix·for·'ftp_present_banner'
  
 53 ###############################################################################
 54 #·BEGIN·fix·(6·/·192)·for·'package_vsftpd_installed'
 55 ###############################################################################
 56 (>&2·echo·"Remediating·rule·6/192:·'package_vsftpd_installed'")
 57 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 58 #
 59 #·Example·Call(s):
 60 #
 61 #·····package_install·aide
 62 #
 63 function·package_install·{
  
 64 #·Load·function·arguments·into·local·variables
 65 local·package="$1"
  
 66 #·Check·sanity·of·the·input
 67 if·[·$#·-ne·"1"·]
 68 then
 69 ··echo·"Usage:·package_install·'package_name'"
 70 ··echo·"Aborting."
 71 ··exit·1
 72 fi
  
 73 if·which·dnf·;·then
 74 ··if·!·rpm·-q·--quiet·"$package";·then
 75 ····dnf·install·-y·"$package"
 76 ··fi
 77 elif·which·yum·;·then
 78 ··if·!·rpm·-q·--quiet·"$package";·then
 79 ····yum·install·-y·"$package"
 80 ··fi
 81 elif·which·apt-get·;·then
 82 ··apt-get·install·-y·"$package"
 83 else
 84 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 85 ··echo·"Aborting."
 86 ··exit·1
 87 fi
  
 88 }
  
 89 package_install·vsftpd
 90 #·END·fix·for·'package_vsftpd_installed'
  
 91 ###############################################################################
 92 #·BEGIN·fix·(7·/·192)·for·'require_smb_client_signing'
 93 ###############################################################################
 94 (>&2·echo·"Remediating·rule·7/192:·'require_smb_client_signing'")
27 ######################################################################95 ######################################################################
28 #By·Luke·"Brisk-OH"·Brisk96 #By·Luke·"Brisk-OH"·Brisk
29 #luke.brisk@boeing.com·or·luke.brisk@gmail.com97 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
30 ######################################################################98 ######################################################################
  
31 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)99 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
Offset 37, 38 lines modifiedOffset 116, 24 lines modified
37 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf116 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
38 else117 else
39 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf118 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
40 fi119 fi
41 #·END·fix·for·'require_smb_client_signing'120 #·END·fix·for·'require_smb_client_signing'
  
42 ###############################################################################121 ###############################################################################
43 #·BEGIN·fix·(2·/·192)·for·'mount_option_smb_client_signing'122 #·BEGIN·fix·(8·/·192)·for·'mount_option_smb_client_signing'
44 ###############################################################################123 ###############################################################################
45 (>&2·echo·"Remediating·rule·2/192:·'mount_option_smb_client_signing'")124 (>&2·echo·"Remediating·rule·8/192:·'mount_option_smb_client_signing'")
46 #·FIX·FOR·THIS·RULE·IS·MISSING125 #·FIX·FOR·THIS·RULE·IS·MISSING
47 #·END·fix·for·'mount_option_smb_client_signing'126 #·END·fix·for·'mount_option_smb_client_signing'
  
48 ###############################################################################127 ###############################################################################
49 #·BEGIN·fix·(3·/·192)·for·'postfix_network_listening_disabled'128 #·BEGIN·fix·(9·/·192)·for·'service_ntpd_enabled'
50 ############################################################################### 
51 (>&2·echo·"Remediating·rule·3/192:·'postfix_network_listening_disabled'") 
52 #·FIX·FOR·THIS·RULE·IS·MISSING 
53 #·END·fix·for·'postfix_network_listening_disabled' 
  
54 ############################################################################### 
55 #·BEGIN·fix·(4·/·192)·for·'sysconfig_networking_bootproto_ifcfg' 
56 ############################################################################### 
57 (>&2·echo·"Remediating·rule·4/192:·'sysconfig_networking_bootproto_ifcfg'") 
58 #·FIX·FOR·THIS·RULE·IS·MISSING 
59 #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' 
  
60 ############################################################################### 
61 #·BEGIN·fix·(5·/·192)·for·'service_ntpd_enabled' 
62 ###############################################################################129 ###############################################################################
Max diff block lines reached; 286922/292683 bytes (98.03%) of diff not shown.
411 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-nist-CL-IL-AL.sh
    
Offset 22, 43 lines modifiedOffset 22, 61 lines modified
22 #22 #
23 #·How·to·apply·this·remediation·role:23 #·How·to·apply·this·remediation·role:
24 #·$·sudo·./remediation-role.sh24 #·$·sudo·./remediation-role.sh
25 #25 #
26 ###############################################################################26 ###############################################################################
  
27 ###############################################################################27 ###############################################################################
28 #·BEGIN·fix·(1·/·270)·for·'require_smb_client_signing'28 #·BEGIN·fix·(1·/·270)·for·'package_vsftpd_removed'
29 ###############################################################################29 ###############################################################################
30 (>&2·echo·"Remediating·rule·1/270:·'require_smb_client_signing'")30 (>&2·echo·"Remediating·rule·1/270:·'package_vsftpd_removed'")
31 ######################################################################31 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
32 #By·Luke·"Brisk-OH"·Brisk32 #
33 #luke.brisk@boeing.com·or·luke.brisk@gmail.com33 #·Example·Call(s):
34 ######################################################################34 #
 35 #·····package_remove·telnet-server
 36 #
 37 function·package_remove·{
  
35 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)38 #·Load·function·arguments·into·local·variables
 39 local·package="$1"
  
36 if·[·"$CLIENTSIGNING"·-eq·0·];··then40 #·Check·sanity·of·the·input
37 »       #·Add·to·global·section41 if·[·$#·-ne·"1"·]
38 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf42 then
 43 ··echo·"Usage:·package_remove·'package_name'"
 44 ··echo·"Aborting."
 45 ··exit·1
 46 fi
  
 47 if·which·dnf·;·then
 48 ··if·rpm·-q·--quiet·"$package";·then
 49 ····dnf·remove·-y·"$package"
 50 ··fi
 51 elif·which·yum·;·then
 52 ··if·rpm·-q·--quiet·"$package";·then
 53 ····yum·remove·-y·"$package"
 54 ··fi
 55 elif·which·apt-get·;·then
 56 ··apt-get·remove·-y·"$package"
39 else57 else
40 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf58 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 59 ··echo·"Aborting."
 60 ··exit·1
41 fi61 fi
42 #·END·fix·for·'require_smb_client_signing' 
  
43 ###############################################################################62 }
44 #·BEGIN·fix·(2·/·270)·for·'mount_option_smb_client_signing' 
45 ###############################################################################63 package_remove·vsftpd
46 (>&2·echo·"Remediating·rule·2/270:·'mount_option_smb_client_signing'")64 #·END·fix·for·'package_vsftpd_removed'
47 #·FIX·FOR·THIS·RULE·IS·MISSING 
48 #·END·fix·for·'mount_option_smb_client_signing' 
  
49 ###############################################################################65 ###############################################################################
50 #·BEGIN·fix·(3·/·270)·for·'service_httpd_disabled'66 #·BEGIN·fix·(2·/·270)·for·'service_httpd_disabled'
51 ###############################################################################67 ###############################################################################
52 (>&2·echo·"Remediating·rule·3/270:·'service_httpd_disabled'")68 (>&2·echo·"Remediating·rule·2/270:·'service_httpd_disabled'")
53 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.69 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
54 #70 #
55 #·Example·Call(s):71 #·Example·Call(s):
56 #72 #
57 #·····service_command·enable·bluetooth73 #·····service_command·enable·bluetooth
58 #·····service_command·disable·bluetooth.service74 #·····service_command·disable·bluetooth.service
59 #75 #
Offset 130, 17 lines modifiedOffset 148, 17 lines modified
  
130 }148 }
  
131 service_command·disable·httpd149 service_command·disable·httpd
132 #·END·fix·for·'service_httpd_disabled'150 #·END·fix·for·'service_httpd_disabled'
  
133 ###############################################################################151 ###############################################################################
134 #·BEGIN·fix·(4·/·270)·for·'package_httpd_removed'152 #·BEGIN·fix·(3·/·270)·for·'package_httpd_removed'
135 ###############################################################################153 ###############################################################################
136 (>&2·echo·"Remediating·rule·4/270:·'package_httpd_removed'")154 (>&2·echo·"Remediating·rule·3/270:·'package_httpd_removed'")
137 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.155 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
138 #156 #
139 #·Example·Call(s):157 #·Example·Call(s):
140 #158 #
141 #·····package_remove·telnet-server159 #·····package_remove·telnet-server
142 #160 #
143 function·package_remove·{161 function·package_remove·{
Offset 174, 75 lines modifiedOffset 192, 99 lines modified
  
174 }192 }
  
175 package_remove·httpd193 package_remove·httpd
176 #·END·fix·for·'package_httpd_removed'194 #·END·fix·for·'package_httpd_removed'
  
177 ###############################################################################195 ###############################################################################
178 #·BEGIN·fix·(5·/·270)·for·'postfix_network_listening_disabled'196 #·BEGIN·fix·(4·/·270)·for·'service_named_disabled'
179 ###############################################################################197 ###############################################################################
180 (>&2·echo·"Remediating·rule·5/270:·'postfix_network_listening_disabled'")198 (>&2·echo·"Remediating·rule·4/270:·'service_named_disabled'")
181 #·FIX·FOR·THIS·RULE·IS·MISSING199 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
182 #·END·fix·for·'postfix_network_listening_disabled' 
  
183 ############################################################################### 
184 #·BEGIN·fix·(6·/·270)·for·'package_sendmail_removed' 
185 ############################################################################### 
186 (>&2·echo·"Remediating·rule·6/270:·'package_sendmail_removed'") 
187 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
188 #200 #
189 #·Example·Call(s):201 #·Example·Call(s):
190 #202 #
191 #·····package_remove·telnet-server203 #·····service_command·enable·bluetooth
 204 #·····service_command·disable·bluetooth.service
192 #205 #
193 function·package_remove·{206 #·····Using·xinetd:
 207 #·····service_command·disable·rsh.socket·xinetd=rsh
 208 #
 209 function·service_command·{
  
194 #·Load·function·arguments·into·local·variables210 #·Load·function·arguments·into·local·variables
195 local·package="$1"211 local·service_state=$1
 212 local·service=$2
 213 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
196 #·Check·sanity·of·the·input214 #·Check·sanity·of·the·input
197 if·[·$#·-ne·"1"·]215 if·[·$#·-lt·"2"·]
198 then216 then
199 ··echo·"Usage:·package_remove·'package_name'"217 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 218 ··echo
 219 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 220 ··echo·"as·the·last·argument"··
200 ··echo·"Aborting."221 ··echo·"Aborting."
201 ··exit·1222 ··exit·1
202 fi223 fi
Max diff block lines reached; 415516/421004 bytes (98.70%) of diff not shown.
188 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-pci-dss.sh
    
Offset 128, 424 lines modifiedOffset 128, 17 lines modified
128 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config128 ··sed·-i·"s/ClientAliveInterval.*/ClientAliveInterval·$sshd_idle_timeout_value/g"·/etc/ssh/sshd_config
129 if·!·[·$?·-eq·0·];·then129 if·!·[·$?·-eq·0·];·then
130 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config130 ····echo·"ClientAliveInterval·$sshd_idle_timeout_value"·>>·/etc/ssh/sshd_config
131 fi131 fi
132 #·END·fix·for·'sshd_set_idle_timeout'132 #·END·fix·for·'sshd_set_idle_timeout'
  
133 ###############################################################################133 ###############################################################################
134 #·BEGIN·fix·(5·/·94)·for·'rpm_verify_permissions'134 #·BEGIN·fix·(5·/·94)·for·'rsyslog_files_permissions'
135 ###############################################################################135 ###############################################################################
136 (>&2·echo·"Remediating·rule·5/94:·'rpm_verify_permissions'")136 (>&2·echo·"Remediating·rule·5/94:·'rsyslog_files_permissions'")
  
137 #·Declare·array·to·hold·list·of·RPM·packages·we·need·to·correct·permissions·for 
138 declare·-a·SETPERMS_RPM_LIST 
  
139 #·Create·a·list·of·files·on·the·system·having·permissions·different·from·what 
140 #·is·expected·by·the·RPM·database 
141 FILES_WITH_INCORRECT_PERMS=($(rpm·-Va·--nofiledigest·|·grep·'^.M'·|·cut·-d·'·'·-f4-)) 
  
142 #·For·each·file·path·from·that·list: 
143 #·*·Determine·the·RPM·package·the·file·path·is·shipped·by, 
144 #·*·Include·it·into·SETPERMS_RPM_LIST·array 
  
145 for·FILE_PATH·in·"${FILES_WITH_INCORRECT_PERMS[@]}" 
146 do 
147 »       RPM_PACKAGE=$(rpm·-qf·"$FILE_PATH") 
148 »       SETPERMS_RPM_LIST=("${SETPERMS_RPM_LIST[@]}"·"$RPM_PACKAGE") 
149 done 
  
150 #·Remove·duplicate·mention·of·same·RPM·in·$SETPERMS_RPM_LIST·(if·any) 
151 SETPERMS_RPM_LIST=(·$(echo·"${SETPERMS_RPM_LIST[@]}"·|·tr·'·'·'\n'·|·sort·-u·|·tr·'\n'·'·')·) 
  
152 #·For·each·of·the·RPM·packages·left·in·the·list·--·reset·its·permissions·to·the 
153 #·correct·values 
154 for·RPM_PACKAGE·in·"${SETPERMS_RPM_LIST[@]}" 
155 do 
156 »       rpm·--setperms·"${RPM_PACKAGE}" 
157 done 
158 #·END·fix·for·'rpm_verify_permissions' 
  
159 ############################################################################### 
160 #·BEGIN·fix·(6·/·94)·for·'rpm_verify_hashes' 
161 ############################################################################### 
162 (>&2·echo·"Remediating·rule·6/94:·'rpm_verify_hashes'") 
163 #·FIX·FOR·THIS·RULE·IS·MISSING 
164 #·END·fix·for·'rpm_verify_hashes' 
  
165 ############################################################################### 
166 #·BEGIN·fix·(7·/·94)·for·'install_hids' 
167 ############################################################################### 
168 (>&2·echo·"Remediating·rule·7/94:·'install_hids'") 
169 #·FIX·FOR·THIS·RULE·IS·MISSING 
170 #·END·fix·for·'install_hids' 
  
171 ############################################################################### 
172 #·BEGIN·fix·(8·/·94)·for·'package_aide_installed' 
173 ############################################################################### 
174 (>&2·echo·"Remediating·rule·8/94:·'package_aide_installed'") 
175 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
176 # 
177 #·Example·Call(s): 
178 # 
179 #·····package_install·aide 
180 # 
181 function·package_install·{ 
  
182 #·Load·function·arguments·into·local·variables 
183 local·package="$1" 
  
184 #·Check·sanity·of·the·input 
185 if·[·$#·-ne·"1"·] 
186 then 
187 ··echo·"Usage:·package_install·'package_name'" 
188 ··echo·"Aborting." 
189 ··exit·1 
190 fi 
  
191 if·which·dnf·;·then 
192 ··if·!·rpm·-q·--quiet·"$package";·then 
193 ····dnf·install·-y·"$package" 
194 ··fi 
195 elif·which·yum·;·then 
196 ··if·!·rpm·-q·--quiet·"$package";·then 
197 ····yum·install·-y·"$package" 
198 ··fi 
199 elif·which·apt-get·;·then 
200 ··apt-get·install·-y·"$package" 
201 else 
202 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
203 ··echo·"Aborting." 
204 ··exit·1 
205 fi 
  
206 } 
  
207 package_install·aide 
208 #·END·fix·for·'package_aide_installed' 
  
209 ############################################################################### 
210 #·BEGIN·fix·(9·/·94)·for·'aide_periodic_cron_checking' 
211 ############################################################################### 
212 (>&2·echo·"Remediating·rule·9/94:·'aide_periodic_cron_checking'") 
213 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
214 # 
215 #·Example·Call(s): 
216 # 
217 #·····package_install·aide 
218 # 
219 function·package_install·{ 
  
220 #·Load·function·arguments·into·local·variables 
221 local·package="$1" 
  
222 #·Check·sanity·of·the·input 
223 if·[·$#·-ne·"1"·] 
224 then 
225 ··echo·"Usage:·package_install·'package_name'" 
226 ··echo·"Aborting." 
227 ··exit·1 
228 fi 
  
229 if·which·dnf·;·then 
230 ··if·!·rpm·-q·--quiet·"$package";·then 
231 ····dnf·install·-y·"$package" 
232 ··fi 
233 elif·which·yum·;·then 
234 ··if·!·rpm·-q·--quiet·"$package";·then 
235 ····yum·install·-y·"$package" 
Max diff block lines reached; 176223/192119 bytes (91.73%) of diff not shown.
82.8 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-rht-ccp.sh
    
Offset 18, 38 lines modifiedOffset 18, 120 lines modified
18 #18 #
19 #·How·to·apply·this·remediation·role:19 #·How·to·apply·this·remediation·role:
20 #·$·sudo·./remediation-role.sh20 #·$·sudo·./remediation-role.sh
21 #21 #
22 ###############################################################################22 ###############################################################################
  
23 ###############################################################################23 ###############################################################################
24 #·BEGIN·fix·(1·/·94)·for·'service_rlogin_disabled'24 #·BEGIN·fix·(1·/·94)·for·'service_atd_disabled'
25 ###############################################################################25 ###############################################################################
26 (>&2·echo·"Remediating·rule·1/94:·'service_rlogin_disabled'")26 (>&2·echo·"Remediating·rule·1/94:·'service_atd_disabled'")
 27 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
 28 #
 29 #·Example·Call(s):
 30 #
 31 #·····service_command·enable·bluetooth
 32 #·····service_command·disable·bluetooth.service
 33 #
 34 #·····Using·xinetd:
 35 #·····service_command·disable·rsh.socket·xinetd=rsh
 36 #
 37 function·service_command·{
  
 38 #·Load·function·arguments·into·local·variables
 39 local·service_state=$1
 40 local·service=$2
 41 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 42 #·Check·sanity·of·the·input
 43 if·[·$#·-lt·"2"·]
 44 then
 45 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 46 ··echo
 47 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 48 ··echo·"as·the·last·argument"··
 49 ··echo·"Aborting."
 50 ··exit·1
 51 fi
  
 52 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 53 if·[·-f·"/usr/bin/systemctl"·]·;·then
 54 ··service_util="/usr/bin/systemctl"
 55 else
 56 ··service_util="/sbin/service"
 57 ··chkconfig_util="/sbin/chkconfig"
 58 fi
  
 59 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 60 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 61 if·[·"$service_state"·!=·'disable'·]·;·then
 62 ··service_state="enable"
 63 ··service_operation="start"
 64 ··chkconfig_state="on"
 65 else
 66 ··service_state="disable"
 67 ··service_operation="stop"
 68 ··chkconfig_state="off"
 69 fi
  
 70 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 71 if·[·"x$chkconfig_util"·!=·x·]·;·then
 72 ··$service_util·$service·$service_operation
 73 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 74 else
 75 ··$service_util·$service_operation·$service
 76 ··$service_util·$service_state·$service
 77 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 78 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 79 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 80 ··$service_util·reset-failed·$service
 81 fi
  
 82 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 83 #·If·empty,·then·xinetd·is·not·being·used.
 84 if·[·"x$xinetd"·!=·x·]·;·then
 85 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 86 ··if·[·"$service_operation"·=·'disable'·]·;·then
 87 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 88 ··else
 89 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 90 ··fi
 91 fi
  
 92 }
  
 93 service_command·disable·atd
 94 #·END·fix·for·'service_atd_disabled'
  
 95 ###############################################################################
 96 #·BEGIN·fix·(2·/·94)·for·'service_rlogin_disabled'
 97 ###############################################################################
 98 (>&2·echo·"Remediating·rule·2/94:·'service_rlogin_disabled'")
27 #·FIX·FOR·THIS·RULE·IS·MISSING99 #·FIX·FOR·THIS·RULE·IS·MISSING
28 #·END·fix·for·'service_rlogin_disabled'100 #·END·fix·for·'service_rlogin_disabled'
  
29 ###############################################################################101 ###############################################################################
30 #·BEGIN·fix·(2·/·94)·for·'service_rexec_disabled'102 #·BEGIN·fix·(3·/·94)·for·'service_rexec_disabled'
31 ###############################################################################103 ###############################################################################
32 (>&2·echo·"Remediating·rule·2/94:·'service_rexec_disabled'")104 (>&2·echo·"Remediating·rule·3/94:·'service_rexec_disabled'")
33 #·FIX·FOR·THIS·RULE·IS·MISSING105 #·FIX·FOR·THIS·RULE·IS·MISSING
34 #·END·fix·for·'service_rexec_disabled'106 #·END·fix·for·'service_rexec_disabled'
  
35 ###############################################################################107 ###############################################################################
36 #·BEGIN·fix·(3·/·94)·for·'service_rsh_disabled'108 #·BEGIN·fix·(4·/·94)·for·'service_rsh_disabled'
37 ###############################################################################109 ###############################################################################
38 (>&2·echo·"Remediating·rule·3/94:·'service_rsh_disabled'")110 (>&2·echo·"Remediating·rule·4/94:·'service_rsh_disabled'")
39 #·FIX·FOR·THIS·RULE·IS·MISSING111 #·FIX·FOR·THIS·RULE·IS·MISSING
40 #·END·fix·for·'service_rsh_disabled'112 #·END·fix·for·'service_rsh_disabled'
  
41 ###############################################################################113 ###############################################################################
42 #·BEGIN·fix·(4·/·94)·for·'package_rsh-server_removed'114 #·BEGIN·fix·(5·/·94)·for·'package_rsh-server_removed'
43 ###############################################################################115 ###############################################################################
44 (>&2·echo·"Remediating·rule·4/94:·'package_rsh-server_removed'")116 (>&2·echo·"Remediating·rule·5/94:·'package_rsh-server_removed'")
45 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.117 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
46 #118 #
47 #·Example·Call(s):119 #·Example·Call(s):
48 #120 #
49 #·····package_remove·telnet-server121 #·····package_remove·telnet-server
50 #122 #
51 function·package_remove·{123 function·package_remove·{
Offset 83, 17 lines modifiedOffset 165, 17 lines modified
  
83 }165 }
  
84 package_remove·rsh-server166 package_remove·rsh-server
85 #·END·fix·for·'package_rsh-server_removed'167 #·END·fix·for·'package_rsh-server_removed'
  
Max diff block lines reached; 79730/84667 bytes (94.17%) of diff not shown.
279 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-server.sh
    
Offset 45, 31 lines modifiedOffset 45, 17 lines modified
45 #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing'45 #·BEGIN·fix·(2·/·186)·for·'mount_option_smb_client_signing'
46 ###############################################################################46 ###############################################################################
47 (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'")47 (>&2·echo·"Remediating·rule·2/186:·'mount_option_smb_client_signing'")
48 #·FIX·FOR·THIS·RULE·IS·MISSING48 #·FIX·FOR·THIS·RULE·IS·MISSING
49 #·END·fix·for·'mount_option_smb_client_signing'49 #·END·fix·for·'mount_option_smb_client_signing'
  
50 ###############################################################################50 ###############################################################################
51 #·BEGIN·fix·(3·/·186)·for·'postfix_network_listening_disabled'51 #·BEGIN·fix·(3·/·186)·for·'service_ntpd_enabled'
52 ###############################################################################52 ###############################################################################
53 (>&2·echo·"Remediating·rule·3/186:·'postfix_network_listening_disabled'")53 (>&2·echo·"Remediating·rule·3/186:·'service_ntpd_enabled'")
54 #·FIX·FOR·THIS·RULE·IS·MISSING 
55 #·END·fix·for·'postfix_network_listening_disabled' 
  
56 ############################################################################### 
57 #·BEGIN·fix·(4·/·186)·for·'sysconfig_networking_bootproto_ifcfg' 
58 ############################################################################### 
59 (>&2·echo·"Remediating·rule·4/186:·'sysconfig_networking_bootproto_ifcfg'") 
60 #·FIX·FOR·THIS·RULE·IS·MISSING 
61 #·END·fix·for·'sysconfig_networking_bootproto_ifcfg' 
  
62 ############################################################################### 
63 #·BEGIN·fix·(5·/·186)·for·'service_ntpd_enabled' 
64 ############################################################################### 
65 (>&2·echo·"Remediating·rule·5/186:·'service_ntpd_enabled'") 
66 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.54 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
67 #55 #
68 #·Example·Call(s):56 #·Example·Call(s):
69 #57 #
70 #·····service_command·enable·bluetooth58 #·····service_command·enable·bluetooth
71 #·····service_command·disable·bluetooth.service59 #·····service_command·disable·bluetooth.service
72 #60 #
Offset 141, 45 lines modifiedOffset 127, 24 lines modified
  
141 }127 }
  
142 service_command·enable·ntpd128 service_command·enable·ntpd
143 #·END·fix·for·'service_ntpd_enabled'129 #·END·fix·for·'service_ntpd_enabled'
  
144 ###############################################################################130 ###############################################################################
145 #·BEGIN·fix·(6·/·186)·for·'ntpd_specify_remote_server'131 #·BEGIN·fix·(4·/·186)·for·'ntpd_specify_remote_server'
146 ###############################################################################132 ###############################################################################
147 (>&2·echo·"Remediating·rule·6/186:·'ntpd_specify_remote_server'")133 (>&2·echo·"Remediating·rule·4/186:·'ntpd_specify_remote_server'")
148 #·FIX·FOR·THIS·RULE·IS·MISSING134 #·FIX·FOR·THIS·RULE·IS·MISSING
149 #·END·fix·for·'ntpd_specify_remote_server'135 #·END·fix·for·'ntpd_specify_remote_server'
  
150 ###############################################################################136 ###############################################################################
151 #·BEGIN·fix·(7·/·186)·for·'service_rlogin_disabled'137 #·BEGIN·fix·(5·/·186)·for·'package_openldap-servers_removed'
152 ############################################################################### 
153 (>&2·echo·"Remediating·rule·7/186:·'service_rlogin_disabled'") 
154 #·FIX·FOR·THIS·RULE·IS·MISSING 
155 #·END·fix·for·'service_rlogin_disabled' 
  
156 ############################################################################### 
157 #·BEGIN·fix·(8·/·186)·for·'service_rexec_disabled' 
158 ###############################################################################138 ###############################################################################
159 (>&2·echo·"Remediating·rule·8/186:·'service_rexec_disabled'")139 (>&2·echo·"Remediating·rule·5/186:·'package_openldap-servers_removed'")
160 #·FIX·FOR·THIS·RULE·IS·MISSING 
161 #·END·fix·for·'service_rexec_disabled' 
  
162 ############################################################################### 
163 #·BEGIN·fix·(9·/·186)·for·'service_rsh_disabled' 
164 ############################################################################### 
165 (>&2·echo·"Remediating·rule·9/186:·'service_rsh_disabled'") 
166 #·FIX·FOR·THIS·RULE·IS·MISSING 
167 #·END·fix·for·'service_rsh_disabled' 
  
168 ############################################################################### 
169 #·BEGIN·fix·(10·/·186)·for·'package_rsh-server_removed' 
170 ############################################################################### 
171 (>&2·echo·"Remediating·rule·10/186:·'package_rsh-server_removed'") 
172 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.140 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
173 #141 #
174 #·Example·Call(s):142 #·Example·Call(s):
175 #143 #
176 #·····package_remove·telnet-server144 #·····package_remove·telnet-server
177 #145 #
178 function·package_remove·{146 function·package_remove·{
Offset 209, 83 lines modifiedOffset 174, 279 lines modified
209 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"174 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
210 ··echo·"Aborting."175 ··echo·"Aborting."
211 ··exit·1176 ··exit·1
212 fi177 fi
  
213 }178 }
  
214 package_remove·rsh-server179 package_remove·openldap-servers
215 #·END·fix·for·'package_rsh-server_removed'180 #·END·fix·for·'package_openldap-servers_removed'
  
216 ###############################################################################181 ###############################################################################
217 #·BEGIN·fix·(11·/·186)·for·'no_rsh_trust_files'182 #·BEGIN·fix·(6·/·186)·for·'ldap_client_start_tls'
218 ###############################################################################183 ###############################################################################
219 (>&2·echo·"Remediating·rule·11/186:·'no_rsh_trust_files'")184 (>&2·echo·"Remediating·rule·6/186:·'ldap_client_start_tls'")
220 find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; 
  
221 if·[·-f·/etc/hosts.equiv·];·then 
222 »       /bin/rm·-f·/etc/hosts.equiv185 #·Use·LDAP·for·authentication
223 fi186 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
224 #·END·fix·for·'no_rsh_trust_files'187 #·it·does·not·exist.
 188 #
 189 #·Expects·arguments:
 190 #
 191 #·config_file:»  »  Configuration·file·that·will·be·modified
 192 #·key:»  »  »  Configuration·option·to·change
 193 #·value:»»Value·of·the·configuration·option·to·change
 194 #·cce:»  »  »  The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists
 195 #·format:»       »       The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments,
 196 #»      »      »      so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=)
 197 #
 198 #·Optional·arugments:
 199 #
 200 #·format:»       »       Optional·argument·to·specify·the·format·of·how·key/value·should·be
 201 #·»      »      »      modified/appended·in·the·configuration·file.·The·default·is·key·=·value.
 202 #
 203 #·Example·Call(s):
 204 #
 205 #·····With·default·format·of·'key·=·value':
 206 #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@'
 207 #
 208 #·····With·custom·key/value·format:
 209 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s'
 210 #
 211 #·····With·a·variable:
 212 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s'
 213 #
 214 function·replace_or_append·{
 215 ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option=''
 216 ··local·config_file=$1
Max diff block lines reached; 274005/285608 bytes (95.94%) of diff not shown.
275 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-standard.sh
    
Offset 46, 24 lines modifiedOffset 46, 17 lines modified
46 #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing'46 #·BEGIN·fix·(2·/·182)·for·'mount_option_smb_client_signing'
47 ###############################################################################47 ###############################################################################
48 (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'")48 (>&2·echo·"Remediating·rule·2/182:·'mount_option_smb_client_signing'")
49 #·FIX·FOR·THIS·RULE·IS·MISSING49 #·FIX·FOR·THIS·RULE·IS·MISSING
50 #·END·fix·for·'mount_option_smb_client_signing'50 #·END·fix·for·'mount_option_smb_client_signing'
  
51 ###############################################################################51 ###############################################################################
52 #·BEGIN·fix·(3·/·182)·for·'postfix_network_listening_disabled'52 #·BEGIN·fix·(3·/·182)·for·'service_ntpd_enabled'
53 ###############################################################################53 ###############################################################################
54 (>&2·echo·"Remediating·rule·3/182:·'postfix_network_listening_disabled'")54 (>&2·echo·"Remediating·rule·3/182:·'service_ntpd_enabled'")
55 #·FIX·FOR·THIS·RULE·IS·MISSING 
56 #·END·fix·for·'postfix_network_listening_disabled' 
  
57 ############################################################################### 
58 #·BEGIN·fix·(4·/·182)·for·'service_ntpd_enabled' 
59 ############################################################################### 
60 (>&2·echo·"Remediating·rule·4/182:·'service_ntpd_enabled'") 
61 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.55 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
62 #56 #
63 #·Example·Call(s):57 #·Example·Call(s):
64 #58 #
65 #·····service_command·enable·bluetooth59 #·····service_command·enable·bluetooth
66 #·····service_command·disable·bluetooth.service60 #·····service_command·disable·bluetooth.service
67 #61 #
Offset 135, 45 lines modifiedOffset 128, 24 lines modified
  
135 }128 }
  
136 service_command·enable·ntpd129 service_command·enable·ntpd
137 #·END·fix·for·'service_ntpd_enabled'130 #·END·fix·for·'service_ntpd_enabled'
  
138 ###############################################################################131 ###############################################################################
139 #·BEGIN·fix·(5·/·182)·for·'ntpd_specify_remote_server'132 #·BEGIN·fix·(4·/·182)·for·'ntpd_specify_remote_server'
140 ###############################################################################133 ###############################################################################
141 (>&2·echo·"Remediating·rule·5/182:·'ntpd_specify_remote_server'")134 (>&2·echo·"Remediating·rule·4/182:·'ntpd_specify_remote_server'")
142 #·FIX·FOR·THIS·RULE·IS·MISSING135 #·FIX·FOR·THIS·RULE·IS·MISSING
143 #·END·fix·for·'ntpd_specify_remote_server'136 #·END·fix·for·'ntpd_specify_remote_server'
  
144 ###############################################################################137 ###############################################################################
145 #·BEGIN·fix·(6·/·182)·for·'service_rlogin_disabled'138 #·BEGIN·fix·(5·/·182)·for·'package_openldap-servers_removed'
146 ############################################################################### 
147 (>&2·echo·"Remediating·rule·6/182:·'service_rlogin_disabled'") 
148 #·FIX·FOR·THIS·RULE·IS·MISSING 
149 #·END·fix·for·'service_rlogin_disabled' 
  
150 ############################################################################### 
151 #·BEGIN·fix·(7·/·182)·for·'service_rexec_disabled' 
152 ############################################################################### 
153 (>&2·echo·"Remediating·rule·7/182:·'service_rexec_disabled'") 
154 #·FIX·FOR·THIS·RULE·IS·MISSING 
155 #·END·fix·for·'service_rexec_disabled' 
  
156 ############################################################################### 
157 #·BEGIN·fix·(8·/·182)·for·'service_rsh_disabled' 
158 ###############################################################################139 ###############################################################################
159 (>&2·echo·"Remediating·rule·8/182:·'service_rsh_disabled'")140 (>&2·echo·"Remediating·rule·5/182:·'package_openldap-servers_removed'")
160 #·FIX·FOR·THIS·RULE·IS·MISSING 
161 #·END·fix·for·'service_rsh_disabled' 
  
162 ############################################################################### 
163 #·BEGIN·fix·(9·/·182)·for·'package_rsh-server_removed' 
164 ############################################################################### 
165 (>&2·echo·"Remediating·rule·9/182:·'package_rsh-server_removed'") 
166 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.141 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
167 #142 #
168 #·Example·Call(s):143 #·Example·Call(s):
169 #144 #
170 #·····package_remove·telnet-server145 #·····package_remove·telnet-server
171 #146 #
172 function·package_remove·{147 function·package_remove·{
Offset 203, 83 lines modifiedOffset 175, 279 lines modified
203 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"175 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
204 ··echo·"Aborting."176 ··echo·"Aborting."
205 ··exit·1177 ··exit·1
206 fi178 fi
  
207 }179 }
  
208 package_remove·rsh-server180 package_remove·openldap-servers
209 #·END·fix·for·'package_rsh-server_removed'181 #·END·fix·for·'package_openldap-servers_removed'
  
210 ###############################################################################182 ###############################################################################
211 #·BEGIN·fix·(10·/·182)·for·'no_rsh_trust_files'183 #·BEGIN·fix·(6·/·182)·for·'ldap_client_start_tls'
212 ###############################################################################184 ###############################################################################
213 (>&2·echo·"Remediating·rule·10/182:·'no_rsh_trust_files'")185 (>&2·echo·"Remediating·rule·6/182:·'ldap_client_start_tls'")
214 find·/home·-maxdepth·2·-type·f·-name·.rhosts·-exec·rm·-f·'{}'·\; 
  
215 if·[·-f·/etc/hosts.equiv·];·then 
216 »       /bin/rm·-f·/etc/hosts.equiv186 #·Use·LDAP·for·authentication
217 fi187 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
218 #·END·fix·for·'no_rsh_trust_files'188 #·it·does·not·exist.
 189 #
 190 #·Expects·arguments:
 191 #
 192 #·config_file:»  »  Configuration·file·that·will·be·modified
 193 #·key:»  »  »  Configuration·option·to·change
 194 #·value:»»Value·of·the·configuration·option·to·change
 195 #·cce:»  »  »  The·CCE·identifier·or·'@CCENUM@'·if·no·CCE·identifier·exists
 196 #·format:»       »       The·printf-like·format·string·that·will·be·given·stripped·key·and·value·as·arguments,
 197 #»      »      »      so·e.g.·'%s=%s'·will·result·in·key=value·subsitution·(i.e.·without·spaces·around·=)
 198 #
 199 #·Optional·arugments:
 200 #
 201 #·format:»       »       Optional·argument·to·specify·the·format·of·how·key/value·should·be
 202 #·»      »      »      modified/appended·in·the·configuration·file.·The·default·is·key·=·value.
 203 #
 204 #·Example·Call(s):
 205 #
 206 #·····With·default·format·of·'key·=·value':
 207 #·····replace_or_append·'/etc/sysctl.conf'·'^kernel.randomize_va_space'·'2'·'@CCENUM@'
 208 #
 209 #·····With·custom·key/value·format:
 210 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·'disabled'·'@CCENUM@'·'%s=%s'
 211 #
 212 #·····With·a·variable:
 213 #·····replace_or_append·'/etc/sysconfig/selinux'·'^SELINUX='·$var_selinux_state·'@CCENUM@'·'%s=%s'
 214 #
 215 function·replace_or_append·{
 216 ··local·default_format='%s·=·%s'·case_insensitive_mode=yes·sed_case_insensitive_option=''·grep_case_insensitive_option=''
 217 ··local·config_file=$1
 218 ··local·key=$2
 219 ··local·value=$3
 220 ··local·cce=$4
 221 ··local·format=$5
  
 222 ··if·[·"$case_insensitive_mode"·=·yes·];·then
 223 ····sed_case_insensitive_option="i"
Max diff block lines reached; 270022/281230 bytes (96.01%) of diff not shown.
351 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-stig-rhel6-disa.sh
    
Offset 25, 17 lines modifiedOffset 25, 31 lines modified
25 #25 #
26 #·How·to·apply·this·remediation·role:26 #·How·to·apply·this·remediation·role:
27 #·$·sudo·./remediation-role.sh27 #·$·sudo·./remediation-role.sh
28 #28 #
29 ###############################################################################29 ###############################################################################
  
30 ###############################################################################30 ###############################################################################
31 #·BEGIN·fix·(1·/·250)·for·'require_smb_client_signing'31 #·BEGIN·fix·(1·/·250)·for·'ftp_log_transactions'
32 ###############################################################################32 ###############################################################################
33 (>&2·echo·"Remediating·rule·1/250:·'require_smb_client_signing'")33 (>&2·echo·"Remediating·rule·1/250:·'ftp_log_transactions'")
 34 #·FIX·FOR·THIS·RULE·IS·MISSING
 35 #·END·fix·for·'ftp_log_transactions'
  
 36 ###############################################################################
 37 #·BEGIN·fix·(2·/·250)·for·'ftp_present_banner'
 38 ###############################################################################
 39 (>&2·echo·"Remediating·rule·2/250:·'ftp_present_banner'")
 40 #·FIX·FOR·THIS·RULE·IS·MISSING
 41 #·END·fix·for·'ftp_present_banner'
  
 42 ###############################################################################
 43 #·BEGIN·fix·(3·/·250)·for·'require_smb_client_signing'
 44 ###############################################################################
 45 (>&2·echo·"Remediating·rule·3/250:·'require_smb_client_signing'")
34 ######################################################################46 ######################################################################
35 #By·Luke·"Brisk-OH"·Brisk47 #By·Luke·"Brisk-OH"·Brisk
36 #luke.brisk@boeing.com·or·luke.brisk@gmail.com48 #luke.brisk@boeing.com·or·luke.brisk@gmail.com
37 ######################################################################49 ######################################################################
  
38 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)50 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)
  
Offset 44, 38 lines modifiedOffset 58, 113 lines modified
44 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf58 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf
45 else59 else
46 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf60 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf
47 fi61 fi
48 #·END·fix·for·'require_smb_client_signing'62 #·END·fix·for·'require_smb_client_signing'
  
49 ###############################################################################63 ###############################################################################
50 #·BEGIN·fix·(2·/·250)·for·'mount_option_smb_client_signing'64 #·BEGIN·fix·(4·/·250)·for·'mount_option_smb_client_signing'
51 ###############################################################################65 ###############################################################################
52 (>&2·echo·"Remediating·rule·2/250:·'mount_option_smb_client_signing'")66 (>&2·echo·"Remediating·rule·4/250:·'mount_option_smb_client_signing'")
53 #·FIX·FOR·THIS·RULE·IS·MISSING67 #·FIX·FOR·THIS·RULE·IS·MISSING
54 #·END·fix·for·'mount_option_smb_client_signing'68 #·END·fix·for·'mount_option_smb_client_signing'
  
55 ###############################################################################69 ###############################################################################
56 #·BEGIN·fix·(3·/·250)·for·'postfix_client_configure_mail_alias'70 #·BEGIN·fix·(5·/·250)·for·'service_ntpd_enabled'
57 ###############################################################################71 ###############################################################################
58 (>&2·echo·"Remediating·rule·3/250:·'postfix_client_configure_mail_alias'")72 (>&2·echo·"Remediating·rule·5/250:·'service_ntpd_enabled'")
59 #·FIX·FOR·THIS·RULE·IS·MISSING73 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
60 #·END·fix·for·'postfix_client_configure_mail_alias'74 #
 75 #·Example·Call(s):
 76 #
 77 #·····service_command·enable·bluetooth
 78 #·····service_command·disable·bluetooth.service
 79 #
 80 #·····Using·xinetd:
 81 #·····service_command·disable·rsh.socket·xinetd=rsh
 82 #
 83 function·service_command·{
  
 84 #·Load·function·arguments·into·local·variables
 85 local·service_state=$1
 86 local·service=$2
 87 local·xinetd=$(echo·$3·|·cut·-d'='·-f2)
  
 88 #·Check·sanity·of·the·input
 89 if·[·$#·-lt·"2"·]
 90 then
 91 ··echo·"Usage:·service_command·'enable/disable'·'service_name.service'"
 92 ··echo
 93 ··echo·"To·enable·or·disable·xinetd·services·add·\'xinetd=service_name\'"
 94 ··echo·"as·the·last·argument"··
 95 ··echo·"Aborting."
 96 ··exit·1
 97 fi
  
 98 #·If·systemctl·is·installed,·use·systemctl·command;·otherwise,·use·the·service/chkconfig·commands
 99 if·[·-f·"/usr/bin/systemctl"·]·;·then
 100 ··service_util="/usr/bin/systemctl"
 101 else
 102 ··service_util="/sbin/service"
 103 ··chkconfig_util="/sbin/chkconfig"
 104 fi
  
 105 #·If·disable·is·not·specified·in·arg1,·set·variables·to·enable·services.
 106 #·Otherwise,·variables·are·to·be·set·to·disable·services.
 107 if·[·"$service_state"·!=·'disable'·]·;·then
 108 ··service_state="enable"
 109 ··service_operation="start"
 110 ··chkconfig_state="on"
 111 else
 112 ··service_state="disable"
 113 ··service_operation="stop"
 114 ··chkconfig_state="off"
 115 fi
  
 116 #·If·chkconfig_util·is·not·empty,·use·chkconfig/service·commands.
 117 if·[·"x$chkconfig_util"·!=·x·]·;·then
 118 ··$service_util·$service·$service_operation
 119 ··$chkconfig_util·--level·0123456·$service·$chkconfig_state
 120 else
 121 ··$service_util·$service_operation·$service
 122 ··$service_util·$service_state·$service
 123 ··#·The·service·may·not·be·running·because·it·has·been·started·and·failed,
 124 ··#·so·let's·reset·the·state·so·OVAL·checks·pass.
 125 ··#·Service·should·be·'inactive',·not·'failed'·after·reboot·though.
 126 ··$service_util·reset-failed·$service
 127 fi
  
 128 #·Test·if·local·variable·xinetd·is·empty·using·non-bashism.
 129 #·If·empty,·then·xinetd·is·not·being·used.
 130 if·[·"x$xinetd"·!=·x·]·;·then
 131 ··grep·-qi·disable·/etc/xinetd.d/$xinetd·&&·\
  
 132 ··if·[·"$service_operation"·=·'disable'·]·;·then
 133 ····sed·-i·"s/disable.*/disable·········=·no/gI"·/etc/xinetd.d/$xinetd
 134 ··else
 135 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
 136 ··fi
 137 fi
  
 138 }
  
 139 service_command·enable·ntpd
 140 #·END·fix·for·'service_ntpd_enabled'
  
Max diff block lines reached; 353872/359166 bytes (98.53%) of diff not shown.
386 KB
./usr/share/scap-security-guide/bash/ssg-sl6-role-usgcb-rhel6-server.sh
    
Offset 19, 17 lines modifiedOffset 19, 17 lines modified
19 #19 #
20 #·How·to·apply·this·remediation·role:20 #·How·to·apply·this·remediation·role:
21 #·$·sudo·./remediation-role.sh21 #·$·sudo·./remediation-role.sh
22 #22 #
23 ###############################################################################23 ###############################################################################
  
24 ###############################################################################24 ###############################################################################
25 #·BEGIN·fix·(1·/·223)·for·'service_smb_disabled'25 #·BEGIN·fix·(1·/·223)·for·'service_vsftpd_disabled'
26 ###############################################################################26 ###############################################################################
27 (>&2·echo·"Remediating·rule·1/223:·'service_smb_disabled'")27 (>&2·echo·"Remediating·rule·1/223:·'service_vsftpd_disabled'")
28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.28 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
29 #29 #
30 #·Example·Call(s):30 #·Example·Call(s):
31 #31 #
32 #·····service_command·enable·bluetooth32 #·····service_command·enable·bluetooth
33 #·····service_command·disable·bluetooth.service33 #·····service_command·disable·bluetooth.service
34 #34 #
Offset 97, 47 lines modifiedOffset 97, 65 lines modified
97 ··else97 ··else
98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd98 ····sed·-i·"s/disable.*/disable·········=·yes/gI"·/etc/xinetd.d/$xinetd
99 ··fi99 ··fi
100 fi100 fi
  
101 }101 }
  
102 service_command·disable·smb102 service_command·disable·vsftpd
103 #·END·fix·for·'service_smb_disabled'103 #·END·fix·for·'service_vsftpd_disabled'
  
104 ###############################################################################104 ###############################################################################
105 #·BEGIN·fix·(2·/·223)·for·'require_smb_client_signing'105 #·BEGIN·fix·(2·/·223)·for·'package_vsftpd_removed'
106 ###############################################################################106 ###############################################################################
107 (>&2·echo·"Remediating·rule·2/223:·'require_smb_client_signing'")107 (>&2·echo·"Remediating·rule·2/223:·'package_vsftpd_removed'")
108 ######################################################################108 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
109 #By·Luke·"Brisk-OH"·Brisk109 #
110 #luke.brisk@boeing.com·or·luke.brisk@gmail.com110 #·Example·Call(s):
111 ######################################################################111 #
 112 #·····package_remove·telnet-server
 113 #
 114 function·package_remove·{
  
112 CLIENTSIGNING=$(·grep·-ic·'client·signing'·/etc/samba/smb.conf·)115 #·Load·function·arguments·into·local·variables
 116 local·package="$1"
  
113 if·[·"$CLIENTSIGNING"·-eq·0·];··then117 #·Check·sanity·of·the·input
114 »       #·Add·to·global·section118 if·[·$#·-ne·"1"·]
115 »       sed·-i·'s/\[global\]/\[global\]\n\n\tclient·signing·=·mandatory/g'·/etc/samba/smb.conf119 then
 120 ··echo·"Usage:·package_remove·'package_name'"
 121 ··echo·"Aborting."
 122 ··exit·1
 123 fi
  
 124 if·which·dnf·;·then
 125 ··if·rpm·-q·--quiet·"$package";·then
 126 ····dnf·remove·-y·"$package"
 127 ··fi
 128 elif·which·yum·;·then
 129 ··if·rpm·-q·--quiet·"$package";·then
 130 ····yum·remove·-y·"$package"
 131 ··fi
 132 elif·which·apt-get·;·then
 133 ··apt-get·remove·-y·"$package"
116 else134 else
117 »       sed·-i·'s/[[:blank:]]*client[[:blank:]]signing[[:blank:]]*=[[:blank:]]*no/········client·signing·=·mandatory/g'·/etc/samba/smb.conf135 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 136 ··echo·"Aborting."
 137 ··exit·1
118 fi138 fi
119 #·END·fix·for·'require_smb_client_signing' 
  
120 ###############################################################################139 }
121 #·BEGIN·fix·(3·/·223)·for·'mount_option_smb_client_signing' 
122 ###############################################################################140 package_remove·vsftpd
123 (>&2·echo·"Remediating·rule·3/223:·'mount_option_smb_client_signing'")141 #·END·fix·for·'package_vsftpd_removed'
124 #·FIX·FOR·THIS·RULE·IS·MISSING 
125 #·END·fix·for·'mount_option_smb_client_signing' 
  
126 ###############################################################################142 ###############################################################################
127 #·BEGIN·fix·(4·/·223)·for·'service_httpd_disabled'143 #·BEGIN·fix·(3·/·223)·for·'service_httpd_disabled'
128 ###############################################################################144 ###############################################################################
129 (>&2·echo·"Remediating·rule·4/223:·'service_httpd_disabled'")145 (>&2·echo·"Remediating·rule·3/223:·'service_httpd_disabled'")
130 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.146 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
131 #147 #
132 #·Example·Call(s):148 #·Example·Call(s):
133 #149 #
134 #·····service_command·enable·bluetooth150 #·····service_command·enable·bluetooth
135 #·····service_command·disable·bluetooth.service151 #·····service_command·disable·bluetooth.service
136 #152 #
Offset 209, 17 lines modifiedOffset 227, 17 lines modified
  
209 }227 }
  
210 service_command·disable·httpd228 service_command·disable·httpd
211 #·END·fix·for·'service_httpd_disabled'229 #·END·fix·for·'service_httpd_disabled'
  
212 ###############################################################################230 ###############################################################################
213 #·BEGIN·fix·(5·/·223)·for·'package_httpd_removed'231 #·BEGIN·fix·(4·/·223)·for·'package_httpd_removed'
214 ###############################################################################232 ###############################################################################
215 (>&2·echo·"Remediating·rule·5/223:·'package_httpd_removed'")233 (>&2·echo·"Remediating·rule·4/223:·'package_httpd_removed'")
216 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.234 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
217 #235 #
218 #·Example·Call(s):236 #·Example·Call(s):
219 #237 #
220 #·····package_remove·telnet-server238 #·····package_remove·telnet-server
221 #239 #
222 function·package_remove·{240 function·package_remove·{
Offset 253, 68 lines modifiedOffset 271, 99 lines modified
  
253 }271 }
  
254 package_remove·httpd272 package_remove·httpd
255 #·END·fix·for·'package_httpd_removed'273 #·END·fix·for·'package_httpd_removed'
  
256 ###############################################################################274 ###############################################################################
257 #·BEGIN·fix·(6·/·223)·for·'postfix_network_listening_disabled'275 #·BEGIN·fix·(5·/·223)·for·'service_named_disabled'
258 ############################################################################### 
259 (>&2·echo·"Remediating·rule·6/223:·'postfix_network_listening_disabled'") 
260 #·FIX·FOR·THIS·RULE·IS·MISSING 
261 #·END·fix·for·'postfix_network_listening_disabled' 
  
262 ############################################################################### 
263 #·BEGIN·fix·(7·/·223)·for·'package_sendmail_removed' 
264 ###############################################################################276 ###############################################################################
265 (>&2·echo·"Remediating·rule·7/223:·'package_sendmail_removed'")277 (>&2·echo·"Remediating·rule·5/223:·'service_named_disabled'")
266 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.278 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
267 #279 #
268 #·Example·Call(s):280 #·Example·Call(s):
269 #281 #
270 #·····package_remove·telnet-server282 #·····service_command·enable·bluetooth
Max diff block lines reached; 388953/394659 bytes (98.55%) of diff not shown.
134 KB
./usr/share/scap-security-guide/bash/ssg-sl7-role-C2S.sh
    
Offset 369, 17 lines modifiedOffset 369, 61 lines modified
  
369 }369 }
  
370 service_command·disable·tftp370 service_command·disable·tftp
371 #·END·fix·for·'service_tftp_disabled'371 #·END·fix·for·'service_tftp_disabled'
  
372 ###############################################################################372 ###############################################################################
373 #·BEGIN·fix·(11·/·213)·for·'service_xinetd_disabled'373 #·BEGIN·fix·(11·/·213)·for·'package_tcp_wrappers_installed'
374 ###############################################################################374 ###############################################################################
375 (>&2·echo·"Remediating·rule·11/213:·'service_xinetd_disabled'")375 (>&2·echo·"Remediating·rule·11/213:·'package_tcp_wrappers_installed'")
 376 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 377 #
 378 #·Example·Call(s):
 379 #
 380 #·····package_install·aide
 381 #
 382 function·package_install·{
  
 383 #·Load·function·arguments·into·local·variables
 384 local·package="$1"
  
 385 #·Check·sanity·of·the·input
 386 if·[·$#·-ne·"1"·]
 387 then
 388 ··echo·"Usage:·package_install·'package_name'"
 389 ··echo·"Aborting."
 390 ··exit·1
 391 fi
  
 392 if·which·dnf·;·then
 393 ··if·!·rpm·-q·--quiet·"$package";·then
 394 ····dnf·install·-y·"$package"
 395 ··fi
 396 elif·which·yum·;·then
 397 ··if·!·rpm·-q·--quiet·"$package";·then
 398 ····yum·install·-y·"$package"
 399 ··fi
 400 elif·which·apt-get·;·then
 401 ··apt-get·install·-y·"$package"
 402 else
 403 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 404 ··echo·"Aborting."
 405 ··exit·1
 406 fi
  
 407 }
  
 408 package_install·tcp_wrappers
 409 #·END·fix·for·'package_tcp_wrappers_installed'
  
 410 ###############################################################################
 411 #·BEGIN·fix·(12·/·213)·for·'service_xinetd_disabled'
 412 ###############################################################################
 413 (>&2·echo·"Remediating·rule·12/213:·'service_xinetd_disabled'")
376 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.414 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
377 #415 #
378 #·Example·Call(s):416 #·Example·Call(s):
379 #417 #
380 #·····service_command·enable·bluetooth418 #·····service_command·enable·bluetooth
381 #·····service_command·disable·bluetooth.service419 #·····service_command·disable·bluetooth.service
382 #420 #
Offset 451, 61 lines modifiedOffset 495, 61 lines modified
  
451 }495 }
  
452 service_command·disable·xinetd496 service_command·disable·xinetd
453 #·END·fix·for·'service_xinetd_disabled'497 #·END·fix·for·'service_xinetd_disabled'
  
454 ###############################################################################498 ###############################################################################
455 #·BEGIN·fix·(12·/·213)·for·'package_tcp_wrappers_installed'499 #·BEGIN·fix·(13·/·213)·for·'package_talk_removed'
456 ###############################################################################500 ###############################################################################
457 (>&2·echo·"Remediating·rule·12/213:·'package_tcp_wrappers_installed'")501 (>&2·echo·"Remediating·rule·13/213:·'package_talk_removed'")
458 #·Function·to·install·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.502 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
459 #503 #
460 #·Example·Call(s):504 #·Example·Call(s):
461 #505 #
462 #·····package_install·aide506 #·····package_remove·telnet-server
463 #507 #
464 function·package_install·{508 function·package_remove·{
  
465 #·Load·function·arguments·into·local·variables509 #·Load·function·arguments·into·local·variables
466 local·package="$1"510 local·package="$1"
  
467 #·Check·sanity·of·the·input511 #·Check·sanity·of·the·input
468 if·[·$#·-ne·"1"·]512 if·[·$#·-ne·"1"·]
469 then513 then
470 ··echo·"Usage:·package_install·'package_name'"514 ··echo·"Usage:·package_remove·'package_name'"
471 ··echo·"Aborting."515 ··echo·"Aborting."
472 ··exit·1516 ··exit·1
473 fi517 fi
  
474 if·which·dnf·;·then518 if·which·dnf·;·then
475 ··if·!·rpm·-q·--quiet·"$package";·then519 ··if·rpm·-q·--quiet·"$package";·then
476 ····dnf·install·-y·"$package"520 ····dnf·remove·-y·"$package"
477 ··fi521 ··fi
478 elif·which·yum·;·then522 elif·which·yum·;·then
479 ··if·!·rpm·-q·--quiet·"$package";·then523 ··if·rpm·-q·--quiet·"$package";·then
480 ····yum·install·-y·"$package"524 ····yum·remove·-y·"$package"
481 ··fi525 ··fi
482 elif·which·apt-get·;·then526 elif·which·apt-get·;·then
483 ··apt-get·install·-y·"$package"527 ··apt-get·remove·-y·"$package"
484 else528 else
485 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"529 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
486 ··echo·"Aborting."530 ··echo·"Aborting."
487 ··exit·1531 ··exit·1
488 fi532 fi
  
489 }533 }
  
490 package_install·tcp_wrappers534 package_remove·talk
491 #·END·fix·for·'package_tcp_wrappers_installed'535 #·END·fix·for·'package_talk_removed'
  
492 ###############################################################################536 ###############################################################################
493 #·BEGIN·fix·(13·/·213)·for·'package_talk_removed'537 #·BEGIN·fix·(14·/·213)·for·'package_talk-server_removed'
494 ###############################################################################538 ###############################################################################
495 (>&2·echo·"Remediating·rule·13/213:·'package_talk_removed'")539 (>&2·echo·"Remediating·rule·14/213:·'package_talk-server_removed'")
496 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.540 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
497 #541 #
498 #·Example·Call(s):542 #·Example·Call(s):
499 #543 #
500 #·····package_remove·telnet-server544 #·····package_remove·telnet-server
501 #545 #
502 function·package_remove·{546 function·package_remove·{
Offset 535, 65 lines modifiedOffset 579, 103 lines modified
535 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"579 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
536 ··echo·"Aborting."580 ··echo·"Aborting."
537 ··exit·1581 ··exit·1
Max diff block lines reached; 132822/137164 bytes (96.83%) of diff not shown.
74.1 KB
./usr/share/scap-security-guide/bash/ssg-sl7-role-cjis.sh
    
Offset 192, 17 lines modifiedOffset 192, 19 lines modified
192 ··fi192 ··fi
193 }193 }
  
194 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'194 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
195 #·END·fix·for·'sshd_set_keepalive'195 #·END·fix·for·'sshd_set_keepalive'
  
196 ###############################################################################196 ###############################################################################
197 #·BEGIN·fix·(3·/·102)·for·'sshd_enable_warning_banner'197 #·BEGIN·fix·(3·/·102)·for·'sshd_set_idle_timeout'
198 ###############################################################################198 ###############################################################################
199 (>&2·echo·"Remediating·rule·3/102:·'sshd_enable_warning_banner'")199 (>&2·echo·"Remediating·rule·3/102:·'sshd_set_idle_timeout'")
  
 200 sshd_idle_timeout_value="1800"
200 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if201 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
201 #·it·does·not·exist.202 #·it·does·not·exist.
202 #203 #
203 #·Expects·arguments:204 #·Expects·arguments:
204 #205 #
205 #·config_file:»  »  Configuration·file·that·will·be·modified206 #·config_file:»  »  Configuration·file·that·will·be·modified
206 #·key:»  »  »  Configuration·option·to·change207 #·key:»  »  »  Configuration·option·to·change
Offset 273, 21 lines modifiedOffset 275, 21 lines modified
273 ··else275 ··else
274 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline276 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
275 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"277 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
276 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"278 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
277 ··fi279 ··fi
278 }280 }
  
279 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'281 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
280 #·END·fix·for·'sshd_enable_warning_banner'282 #·END·fix·for·'sshd_set_idle_timeout'
  
281 ###############################################################################283 ###############################################################################
282 #·BEGIN·fix·(4·/·102)·for·'sshd_do_not_permit_user_env'284 #·BEGIN·fix·(4·/·102)·for·'sshd_enable_warning_banner'
283 ###############################################################################285 ###############################################################################
284 (>&2·echo·"Remediating·rule·4/102:·'sshd_do_not_permit_user_env'")286 (>&2·echo·"Remediating·rule·4/102:·'sshd_enable_warning_banner'")
285 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if287 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
286 #·it·does·not·exist.288 #·it·does·not·exist.
287 #289 #
288 #·Expects·arguments:290 #·Expects·arguments:
289 #291 #
290 #·config_file:»  »  Configuration·file·that·will·be·modified292 #·config_file:»  »  Configuration·file·that·will·be·modified
291 #·key:»  »  »  Configuration·option·to·change293 #·key:»  »  »  Configuration·option·to·change
Offset 358, 16 lines modifiedOffset 360, 16 lines modified
358 ··else360 ··else
359 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline361 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
360 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"362 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
361 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"363 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
362 ··fi364 ··fi
363 }365 }
  
364 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'366 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'
365 #·END·fix·for·'sshd_do_not_permit_user_env'367 #·END·fix·for·'sshd_enable_warning_banner'
  
366 ###############################################################################368 ###############################################################################
367 #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2'369 #·BEGIN·fix·(5·/·102)·for·'sshd_allow_only_protocol2'
368 ###############################################################################370 ###############################################################################
369 (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'")371 (>&2·echo·"Remediating·rule·5/102:·'sshd_allow_only_protocol2'")
370 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if372 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
371 #·it·does·not·exist.373 #·it·does·not·exist.
Offset 532, 19 lines modifiedOffset 534, 17 lines modified
532 ··fi534 ··fi
533 }535 }
  
534 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'536 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'
535 #·END·fix·for·'sshd_disable_rhosts'537 #·END·fix·for·'sshd_disable_rhosts'
  
536 ###############################################################################538 ###############################################################################
537 #·BEGIN·fix·(7·/·102)·for·'sshd_set_idle_timeout'539 #·BEGIN·fix·(7·/·102)·for·'sshd_do_not_permit_user_env'
538 ###############################################################################540 ###############################################################################
539 (>&2·echo·"Remediating·rule·7/102:·'sshd_set_idle_timeout'")541 (>&2·echo·"Remediating·rule·7/102:·'sshd_do_not_permit_user_env'")
  
540 sshd_idle_timeout_value="1800" 
541 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if542 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
542 #·it·does·not·exist.543 #·it·does·not·exist.
543 #544 #
544 #·Expects·arguments:545 #·Expects·arguments:
545 #546 #
546 #·config_file:»  »  Configuration·file·that·will·be·modified547 #·config_file:»  »  Configuration·file·that·will·be·modified
547 #·key:»  »  »  Configuration·option·to·change548 #·key:»  »  »  Configuration·option·to·change
Offset 615, 16 lines modifiedOffset 615, 16 lines modified
615 ··else615 ··else
616 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline616 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
617 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"617 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
618 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"618 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
619 ··fi619 ··fi
620 }620 }
  
621 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'621 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'
622 #·END·fix·for·'sshd_set_idle_timeout'622 #·END·fix·for·'sshd_do_not_permit_user_env'
  
623 ###############################################################################623 ###############################################################################
624 #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers'624 #·BEGIN·fix·(8·/·102)·for·'sshd_use_approved_ciphers'
625 ###############################################################################625 ###############################################################################
626 (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'")626 (>&2·echo·"Remediating·rule·8/102:·'sshd_use_approved_ciphers'")
627 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if627 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
628 #·it·does·not·exist.628 #·it·does·not·exist.
Offset 1193, 19 lines modifiedOffset 1193, 17 lines modified
1193 include_dconf_settings1193 include_dconf_settings
  
1194 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'1194 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'
1195 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'1195 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'
1196 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'1196 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'
  
1197 ###############################################################################1197 ###############################################################################
1198 #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_idle_delay'1198 #·BEGIN·fix·(23·/·102)·for·'dconf_gnome_screensaver_mode_blank'
1199 ###############################################################################1199 ###############################################################################
1200 (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_idle_delay'")1200 (>&2·echo·"Remediating·rule·23/102:·'dconf_gnome_screensaver_mode_blank'")
  
1201 inactivity_timeout_value="1800" 
1202 function·include_dconf_settings·{1201 function·include_dconf_settings·{
1203 »       :1202 »       :
1204 }1203 }
  
1205 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.1204 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
1206 #1205 #
1207 #·Example·Call(s):1206 #·Example·Call(s):
Offset 1273, 22 lines modifiedOffset 1271, 24 lines modified
1273 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"1271 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"
1274 »       fi1272 »       fi
1275 }1273 }
  
  
1276 include_dconf_settings1274 include_dconf_settings
  
1277 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'1275 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'
1278 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'1276 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'
1279 #·END·fix·for·'dconf_gnome_screensaver_idle_delay'1277 #·END·fix·for·'dconf_gnome_screensaver_mode_blank'
  
Max diff block lines reached; 69231/75731 bytes (91.42%) of diff not shown.
98.1 KB
./usr/share/scap-security-guide/bash/ssg-sl7-role-hipaa.sh
    
Offset 285, 17 lines modifiedOffset 285, 61 lines modified
  
285 }285 }
  
286 package_remove·telnet-server286 package_remove·telnet-server
287 #·END·fix·for·'package_telnet-server_removed'287 #·END·fix·for·'package_telnet-server_removed'
  
288 ###############################################################################288 ###############################################################################
289 #·BEGIN·fix·(10·/·149)·for·'service_ypbind_disabled'289 #·BEGIN·fix·(10·/·149)·for·'package_ypbind_removed'
290 ###############################################################################290 ###############################################################################
291 (>&2·echo·"Remediating·rule·10/149:·'service_ypbind_disabled'")291 (>&2·echo·"Remediating·rule·10/149:·'package_ypbind_removed'")
 292 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 293 #
 294 #·Example·Call(s):
 295 #
 296 #·····package_remove·telnet-server
 297 #
 298 function·package_remove·{
  
 299 #·Load·function·arguments·into·local·variables
 300 local·package="$1"
  
 301 #·Check·sanity·of·the·input
 302 if·[·$#·-ne·"1"·]
 303 then
 304 ··echo·"Usage:·package_remove·'package_name'"
 305 ··echo·"Aborting."
 306 ··exit·1
 307 fi
  
 308 if·which·dnf·;·then
 309 ··if·rpm·-q·--quiet·"$package";·then
 310 ····dnf·remove·-y·"$package"
 311 ··fi
 312 elif·which·yum·;·then
 313 ··if·rpm·-q·--quiet·"$package";·then
 314 ····yum·remove·-y·"$package"
 315 ··fi
 316 elif·which·apt-get·;·then
 317 ··apt-get·remove·-y·"$package"
 318 else
 319 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 320 ··echo·"Aborting."
 321 ··exit·1
 322 fi
  
 323 }
  
 324 package_remove·ypbind
 325 #·END·fix·for·'package_ypbind_removed'
  
 326 ###############################################################################
 327 #·BEGIN·fix·(11·/·149)·for·'service_ypbind_disabled'
 328 ###############################################################################
 329 (>&2·echo·"Remediating·rule·11/149:·'service_ypbind_disabled'")
292 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.330 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
293 #331 #
294 #·Example·Call(s):332 #·Example·Call(s):
295 #333 #
296 #·····service_command·enable·bluetooth334 #·····service_command·enable·bluetooth
297 #·····service_command·disable·bluetooth.service335 #·····service_command·disable·bluetooth.service
298 #336 #
Offset 367, 58 lines modifiedOffset 411, 14 lines modified
  
367 }411 }
  
368 service_command·disable·ypbind412 service_command·disable·ypbind
369 #·END·fix·for·'service_ypbind_disabled'413 #·END·fix·for·'service_ypbind_disabled'
  
370 ###############################################################################414 ###############################################################################
371 #·BEGIN·fix·(11·/·149)·for·'package_ypbind_removed' 
372 ############################################################################### 
373 (>&2·echo·"Remediating·rule·11/149:·'package_ypbind_removed'") 
374 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
375 # 
376 #·Example·Call(s): 
377 # 
378 #·····package_remove·telnet-server 
379 # 
380 function·package_remove·{ 
  
381 #·Load·function·arguments·into·local·variables 
382 local·package="$1" 
  
383 #·Check·sanity·of·the·input 
384 if·[·$#·-ne·"1"·] 
385 then 
386 ··echo·"Usage:·package_remove·'package_name'" 
387 ··echo·"Aborting." 
388 ··exit·1 
389 fi 
  
390 if·which·dnf·;·then 
391 ··if·rpm·-q·--quiet·"$package";·then 
392 ····dnf·remove·-y·"$package" 
393 ··fi 
394 elif·which·yum·;·then 
395 ··if·rpm·-q·--quiet·"$package";·then 
396 ····yum·remove·-y·"$package" 
397 ··fi 
398 elif·which·apt-get·;·then 
399 ··apt-get·remove·-y·"$package" 
400 else 
401 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
402 ··echo·"Aborting." 
403 ··exit·1 
404 fi 
  
405 } 
  
406 package_remove·ypbind 
407 #·END·fix·for·'package_ypbind_removed' 
  
408 ############################################################################### 
409 #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed'415 #·BEGIN·fix·(12·/·149)·for·'package_ypserv_removed'
410 ###############################################################################416 ###############################################################################
411 (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'")417 (>&2·echo·"Remediating·rule·12/149:·'package_ypserv_removed'")
412 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.418 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
413 #419 #
414 #·Example·Call(s):420 #·Example·Call(s):
415 #421 #
Offset 922, 17 lines modifiedOffset 922, 17 lines modified
922 #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports'922 #·BEGIN·fix·(20·/·149)·for·'use_kerberos_security_all_exports'
923 ###############################################################################923 ###############################################################################
924 (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'")924 (>&2·echo·"Remediating·rule·20/149:·'use_kerberos_security_all_exports'")
925 #·FIX·FOR·THIS·RULE·IS·MISSING925 #·FIX·FOR·THIS·RULE·IS·MISSING
926 #·END·fix·for·'use_kerberos_security_all_exports'926 #·END·fix·for·'use_kerberos_security_all_exports'
  
Max diff block lines reached; 96537/100366 bytes (96.18%) of diff not shown.
226 KB
./usr/share/scap-security-guide/bash/ssg-sl7-role-nist-800-171-cui.sh
    
Offset 293, 17 lines modifiedOffset 293, 61 lines modified
  
293 }293 }
  
294 package_remove·telnet-server294 package_remove·telnet-server
295 #·END·fix·for·'package_telnet-server_removed'295 #·END·fix·for·'package_telnet-server_removed'
  
296 ###############################################################################296 ###############################################################################
297 #·BEGIN·fix·(10·/·358)·for·'service_ypbind_disabled'297 #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed'
298 ###############################################################################298 ###############################################################################
299 (>&2·echo·"Remediating·rule·10/358:·'service_ypbind_disabled'")299 (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'")
 300 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 301 #
 302 #·Example·Call(s):
 303 #
 304 #·····package_remove·telnet-server
 305 #
 306 function·package_remove·{
  
 307 #·Load·function·arguments·into·local·variables
 308 local·package="$1"
  
 309 #·Check·sanity·of·the·input
 310 if·[·$#·-ne·"1"·]
 311 then
 312 ··echo·"Usage:·package_remove·'package_name'"
 313 ··echo·"Aborting."
 314 ··exit·1
 315 fi
  
 316 if·which·dnf·;·then
 317 ··if·rpm·-q·--quiet·"$package";·then
 318 ····dnf·remove·-y·"$package"
 319 ··fi
 320 elif·which·yum·;·then
 321 ··if·rpm·-q·--quiet·"$package";·then
 322 ····yum·remove·-y·"$package"
 323 ··fi
 324 elif·which·apt-get·;·then
 325 ··apt-get·remove·-y·"$package"
 326 else
 327 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 328 ··echo·"Aborting."
 329 ··exit·1
 330 fi
  
 331 }
  
 332 package_remove·ypbind
 333 #·END·fix·for·'package_ypbind_removed'
  
 334 ###############################################################################
 335 #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled'
 336 ###############################################################################
 337 (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'")
300 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.338 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
301 #339 #
302 #·Example·Call(s):340 #·Example·Call(s):
303 #341 #
304 #·····service_command·enable·bluetooth342 #·····service_command·enable·bluetooth
305 #·····service_command·disable·bluetooth.service343 #·····service_command·disable·bluetooth.service
306 #344 #
Offset 375, 58 lines modifiedOffset 419, 14 lines modified
  
375 }419 }
  
376 service_command·disable·ypbind420 service_command·disable·ypbind
377 #·END·fix·for·'service_ypbind_disabled'421 #·END·fix·for·'service_ypbind_disabled'
  
378 ###############################################################################422 ###############################################################################
379 #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' 
380 ############################################################################### 
381 (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") 
382 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
383 # 
384 #·Example·Call(s): 
385 # 
386 #·····package_remove·telnet-server 
387 # 
388 function·package_remove·{ 
  
389 #·Load·function·arguments·into·local·variables 
390 local·package="$1" 
  
391 #·Check·sanity·of·the·input 
392 if·[·$#·-ne·"1"·] 
393 then 
394 ··echo·"Usage:·package_remove·'package_name'" 
395 ··echo·"Aborting." 
396 ··exit·1 
397 fi 
  
398 if·which·dnf·;·then 
399 ··if·rpm·-q·--quiet·"$package";·then 
400 ····dnf·remove·-y·"$package" 
401 ··fi 
402 elif·which·yum·;·then 
403 ··if·rpm·-q·--quiet·"$package";·then 
404 ····yum·remove·-y·"$package" 
405 ··fi 
406 elif·which·apt-get·;·then 
407 ··apt-get·remove·-y·"$package" 
408 else 
409 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
410 ··echo·"Aborting." 
411 ··exit·1 
412 fi 
  
413 } 
  
414 package_remove·ypbind 
415 #·END·fix·for·'package_ypbind_removed' 
  
416 ############################################################################### 
417 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'423 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'
418 ###############################################################################424 ###############################################################################
419 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")425 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")
420 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.426 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
421 #427 #
422 #·Example·Call(s):428 #·Example·Call(s):
423 #429 #
Offset 1428, 17 lines modifiedOffset 1428, 17 lines modified
1428 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'1428 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'
1429 ###############################################################################1429 ###############################################################################
1430 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")1430 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")
1431 #·FIX·FOR·THIS·RULE·IS·MISSING1431 #·FIX·FOR·THIS·RULE·IS·MISSING
1432 #·END·fix·for·'mount_option_nodev_remote_filesystems'1432 #·END·fix·for·'mount_option_nodev_remote_filesystems'
  
Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown.
226 KB
./usr/share/scap-security-guide/bash/ssg-sl7-role-ospp.sh
    
Offset 304, 17 lines modifiedOffset 304, 61 lines modified
  
304 }304 }
  
305 package_remove·telnet-server305 package_remove·telnet-server
306 #·END·fix·for·'package_telnet-server_removed'306 #·END·fix·for·'package_telnet-server_removed'
  
307 ###############################################################################307 ###############################################################################
308 #·BEGIN·fix·(10·/·358)·for·'service_ypbind_disabled'308 #·BEGIN·fix·(10·/·358)·for·'package_ypbind_removed'
309 ###############################################################################309 ###############################################################################
310 (>&2·echo·"Remediating·rule·10/358:·'service_ypbind_disabled'")310 (>&2·echo·"Remediating·rule·10/358:·'package_ypbind_removed'")
 311 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
 312 #
 313 #·Example·Call(s):
 314 #
 315 #·····package_remove·telnet-server
 316 #
 317 function·package_remove·{
  
 318 #·Load·function·arguments·into·local·variables
 319 local·package="$1"
  
 320 #·Check·sanity·of·the·input
 321 if·[·$#·-ne·"1"·]
 322 then
 323 ··echo·"Usage:·package_remove·'package_name'"
 324 ··echo·"Aborting."
 325 ··exit·1
 326 fi
  
 327 if·which·dnf·;·then
 328 ··if·rpm·-q·--quiet·"$package";·then
 329 ····dnf·remove·-y·"$package"
 330 ··fi
 331 elif·which·yum·;·then
 332 ··if·rpm·-q·--quiet·"$package";·then
 333 ····yum·remove·-y·"$package"
 334 ··fi
 335 elif·which·apt-get·;·then
 336 ··apt-get·remove·-y·"$package"
 337 else
 338 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!"
 339 ··echo·"Aborting."
 340 ··exit·1
 341 fi
  
 342 }
  
 343 package_remove·ypbind
 344 #·END·fix·for·'package_ypbind_removed'
  
 345 ###############################################################################
 346 #·BEGIN·fix·(11·/·358)·for·'service_ypbind_disabled'
 347 ###############################################################################
 348 (>&2·echo·"Remediating·rule·11/358:·'service_ypbind_disabled'")
311 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.349 #·Function·to·enable/disable·and·start/stop·services·on·RHEL·and·Fedora·systems.
312 #350 #
313 #·Example·Call(s):351 #·Example·Call(s):
314 #352 #
315 #·····service_command·enable·bluetooth353 #·····service_command·enable·bluetooth
316 #·····service_command·disable·bluetooth.service354 #·····service_command·disable·bluetooth.service
317 #355 #
Offset 386, 58 lines modifiedOffset 430, 14 lines modified
  
386 }430 }
  
387 service_command·disable·ypbind431 service_command·disable·ypbind
388 #·END·fix·for·'service_ypbind_disabled'432 #·END·fix·for·'service_ypbind_disabled'
  
389 ###############################################################################433 ###############################################################################
390 #·BEGIN·fix·(11·/·358)·for·'package_ypbind_removed' 
391 ############################################################################### 
392 (>&2·echo·"Remediating·rule·11/358:·'package_ypbind_removed'") 
393 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems. 
394 # 
395 #·Example·Call(s): 
396 # 
397 #·····package_remove·telnet-server 
398 # 
399 function·package_remove·{ 
  
400 #·Load·function·arguments·into·local·variables 
401 local·package="$1" 
  
402 #·Check·sanity·of·the·input 
403 if·[·$#·-ne·"1"·] 
404 then 
405 ··echo·"Usage:·package_remove·'package_name'" 
406 ··echo·"Aborting." 
407 ··exit·1 
408 fi 
  
409 if·which·dnf·;·then 
410 ··if·rpm·-q·--quiet·"$package";·then 
411 ····dnf·remove·-y·"$package" 
412 ··fi 
413 elif·which·yum·;·then 
414 ··if·rpm·-q·--quiet·"$package";·then 
415 ····yum·remove·-y·"$package" 
416 ··fi 
417 elif·which·apt-get·;·then 
418 ··apt-get·remove·-y·"$package" 
419 else 
420 ··echo·"Failed·to·detect·available·packaging·system,·tried·dnf,·yum·and·apt-get!" 
421 ··echo·"Aborting." 
422 ··exit·1 
423 fi 
  
424 } 
  
425 package_remove·ypbind 
426 #·END·fix·for·'package_ypbind_removed' 
  
427 ############################################################################### 
428 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'434 #·BEGIN·fix·(12·/·358)·for·'package_ypserv_removed'
429 ###############################################################################435 ###############################################################################
430 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")436 (>&2·echo·"Remediating·rule·12/358:·'package_ypserv_removed'")
431 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.437 #·Function·to·remove·packages·on·RHEL,·Fedora,·Debian,·and·possibly·other·systems.
432 #438 #
433 #·Example·Call(s):439 #·Example·Call(s):
434 #440 #
Offset 1439, 17 lines modifiedOffset 1439, 17 lines modified
1439 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'1439 #·BEGIN·fix·(32·/·358)·for·'mount_option_nodev_remote_filesystems'
1440 ###############################################################################1440 ###############################################################################
1441 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")1441 (>&2·echo·"Remediating·rule·32/358:·'mount_option_nodev_remote_filesystems'")
1442 #·FIX·FOR·THIS·RULE·IS·MISSING1442 #·FIX·FOR·THIS·RULE·IS·MISSING
1443 #·END·fix·for·'mount_option_nodev_remote_filesystems'1443 #·END·fix·for·'mount_option_nodev_remote_filesystems'
  
Max diff block lines reached; 227689/231532 bytes (98.34%) of diff not shown.
60.4 KB
./usr/share/scap-security-guide/bash/ssg-sl7-role-pci-dss.sh
    
Offset 793, 19 lines modifiedOffset 793, 17 lines modified
793 include_dconf_settings793 include_dconf_settings
  
794 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'794 dconf_settings·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'true'·'local.d'·'00-security-settings'
795 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'795 dconf_lock·'org/gnome/desktop/screensaver'·'idle-activation-enabled'·'local.d'·'00-security-settings-lock'
796 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'796 #·END·fix·for·'dconf_gnome_screensaver_idle_activation_enabled'
  
797 ###############################################################################797 ###############################################################################
798 #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_idle_delay'798 #·BEGIN·fix·(17·/·94)·for·'dconf_gnome_screensaver_mode_blank'
799 ###############################################################################799 ###############################################################################
800 (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_idle_delay'")800 (>&2·echo·"Remediating·rule·17/94:·'dconf_gnome_screensaver_mode_blank'")
  
801 inactivity_timeout_value="900" 
802 function·include_dconf_settings·{801 function·include_dconf_settings·{
803 »       :802 »       :
804 }803 }
  
805 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.804 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
806 #805 #
807 #·Example·Call(s):806 #·Example·Call(s):
Offset 873, 22 lines modifiedOffset 871, 24 lines modified
873 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"871 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"
874 »       fi872 »       fi
875 }873 }
  
  
876 include_dconf_settings874 include_dconf_settings
  
877 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'875 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'
878 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'876 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'
879 #·END·fix·for·'dconf_gnome_screensaver_idle_delay'877 #·END·fix·for·'dconf_gnome_screensaver_mode_blank'
  
880 ###############################################################################878 ###############################################################################
881 #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_mode_blank'879 #·BEGIN·fix·(18·/·94)·for·'dconf_gnome_screensaver_idle_delay'
882 ###############################################################################880 ###############################################################################
883 (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_mode_blank'")881 (>&2·echo·"Remediating·rule·18/94:·'dconf_gnome_screensaver_idle_delay'")
  
 882 inactivity_timeout_value="900"
884 function·include_dconf_settings·{883 function·include_dconf_settings·{
885 »       :884 »       :
886 }885 }
  
887 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.886 #·Function·to·configure·DConf·settings·for·RHEL·and·Fedora·systems.
888 #887 #
889 #·Example·Call(s):888 #·Example·Call(s):
Offset 956, 17 lines modifiedOffset 956, 17 lines modified
956 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"956 »       »       echo·"/${_key}/${_setting}"·>>·"/etc/dconf/db/${_db}/locks/${_lockFile}"
957 »       fi957 »       fi
958 }958 }
  
  
959 include_dconf_settings959 include_dconf_settings
  
960 dconf_settings·'org/gnome/desktop/screensaver'·'picture-uri'·"string·''"·'local.d'·'00-security-settings'960 dconf_settings·'org/gnome/desktop/session'·'idle-delay'·"uint32·${inactivity_timeout_value}"·'local.d'·'00-security-settings'
961 dconf_lock·'org/gnome/desktop/screensaver'·'picture-uri'·'local.d'·'00-security-settings-lock'961 dconf_lock·'org/gnome/desktop/session'·'idle-delay'·'local.d'·'00-security-settings-lock'
962 #·END·fix·for·'dconf_gnome_screensaver_mode_blank'962 #·END·fix·for·'dconf_gnome_screensaver_idle_delay'
  
963 ###############################################################################963 ###############################################################################
964 #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled'964 #·BEGIN·fix·(19·/·94)·for·'dconf_gnome_screensaver_lock_enabled'
965 ###############################################################################965 ###############################################################################
966 (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'")966 (>&2·echo·"Remediating·rule·19/94:·'dconf_gnome_screensaver_lock_enabled'")
967 function·include_dconf_settings·{967 function·include_dconf_settings·{
968 »       :968 »       :
Offset 2117, 72 lines modifiedOffset 2117, 72 lines modified
2117 ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG2117 ··sed·-i·'s/^action_mail_acct.*/action_mail_acct·=·'"$var_auditd_action_mail_acct"'/g'·$AUDITCONFIG
2118 if·!·[·$?·-eq·0·];·then2118 if·!·[·$?·-eq·0·];·then
2119 ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG2119 ··echo·"action_mail_acct·=·$var_auditd_action_mail_acct"·>>·$AUDITCONFIG
2120 fi2120 fi
2121 #·END·fix·for·'auditd_data_retention_action_mail_acct'2121 #·END·fix·for·'auditd_data_retention_action_mail_acct'
  
2122 ###############################################################################2122 ###############################################################################
2123 #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_space_left_action'2123 #·BEGIN·fix·(48·/·94)·for·'auditd_data_retention_admin_space_left_action'
2124 ###############################################################################2124 ###############################################################################
2125 (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_space_left_action'")2125 (>&2·echo·"Remediating·rule·48/94:·'auditd_data_retention_admin_space_left_action'")
  
2126 var_auditd_space_left_action="suspend" 
  
2127 grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\ 
2128 ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf 
2129 if·!·[·$?·-eq·0·];·then 
2130 ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf 
2131 fi 
2132 #·END·fix·for·'auditd_data_retention_space_left_action' 
  
2133 ############################################################################### 
2134 #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_admin_space_left_action' 
2135 ############################################################################### 
2136 (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_admin_space_left_action'") 
  
2137 var_auditd_admin_space_left_action="suspend"2126 var_auditd_admin_space_left_action="suspend"
  
2138 grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\2127 grep·-q·^admin_space_left_action·/etc/audit/auditd.conf·&&·\
2139 ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf2128 ··sed·-i·"s/admin_space_left_action.*/admin_space_left_action·=·$var_auditd_admin_space_left_action/g"·/etc/audit/auditd.conf
2140 if·!·[·$?·-eq·0·];·then2129 if·!·[·$?·-eq·0·];·then
2141 ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf2130 ····echo·"admin_space_left_action·=·$var_auditd_admin_space_left_action"·>>·/etc/audit/auditd.conf
2142 fi2131 fi
2143 #·END·fix·for·'auditd_data_retention_admin_space_left_action'2132 #·END·fix·for·'auditd_data_retention_admin_space_left_action'
  
2144 ###############################################################################2133 ###############################################################################
2145 #·BEGIN·fix·(50·/·94)·for·'auditd_data_retention_num_logs'2134 #·BEGIN·fix·(49·/·94)·for·'auditd_data_retention_max_log_file_action'
2146 ###############################################################################2135 ###############################################################################
2147 (>&2·echo·"Remediating·rule·50/94:·'auditd_data_retention_num_logs'")2136 (>&2·echo·"Remediating·rule·49/94:·'auditd_data_retention_max_log_file_action'")
  
2148 var_auditd_num_logs="5"2137 var_auditd_max_log_file_action="rotate"
  
2149 AUDITCONFIG=/etc/audit/auditd.conf2138 AUDITCONFIG=/etc/audit/auditd.conf
  
2150 grep·-q·^num_logs·$AUDITCONFIG·&&·\2139 grep·-q·^max_log_file_action·$AUDITCONFIG·&&·\
2151 ··sed·-i·'s/^num_logs.*/num_logs·=·'"$var_auditd_num_logs"'/g'·$AUDITCONFIG2140 ··sed·-i·'s/^max_log_file_action.*/max_log_file_action·=·'"$var_auditd_max_log_file_action"'/g'·$AUDITCONFIG
2152 if·!·[·$?·-eq·0·];·then2141 if·!·[·$?·-eq·0·];·then
2153 ··echo·"num_logs·=·$var_auditd_num_logs"·>>·$AUDITCONFIG2142 ··echo·"max_log_file_action·=·$var_auditd_max_log_file_action"·>>·$AUDITCONFIG
2154 fi2143 fi
2155 #·END·fix·for·'auditd_data_retention_num_logs'2144 #·END·fix·for·'auditd_data_retention_max_log_file_action'
  
2156 ###############################################################################2145 ###############################################################################
2157 #·BEGIN·fix·(51·/·94)·for·'auditd_data_retention_max_log_file_action'2146 #·BEGIN·fix·(50·/·94)·for·'auditd_data_retention_space_left_action'
2158 ###############################################################################2147 ###############################################################################
2159 (>&2·echo·"Remediating·rule·51/94:·'auditd_data_retention_max_log_file_action'")2148 (>&2·echo·"Remediating·rule·50/94:·'auditd_data_retention_space_left_action'")
  
2160 var_auditd_max_log_file_action="rotate"2149 var_auditd_space_left_action="suspend"
  
 2150 grep·-q·^space_left_action·/etc/audit/auditd.conf·&&·\
 2151 ··sed·-i·"s/space_left_action.*/space_left_action·=·$var_auditd_space_left_action/g"·/etc/audit/auditd.conf
 2152 if·!·[·$?·-eq·0·];·then
 2153 ····echo·"space_left_action·=·$var_auditd_space_left_action"·>>·/etc/audit/auditd.conf
 2154 fi
 2155 #·END·fix·for·'auditd_data_retention_space_left_action'
  
Max diff block lines reached; 54266/61706 bytes (87.94%) of diff not shown.
8.83 KB
./usr/share/scap-security-guide/bash/ssg-sl7-role-rht-ccp.sh
    
Offset 376, 17 lines modifiedOffset 376, 19 lines modified
376 ··fi376 ··fi
377 }377 }
  
378 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'378 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
379 #·END·fix·for·'sshd_set_keepalive'379 #·END·fix·for·'sshd_set_keepalive'
  
380 ###############################################################################380 ###############################################################################
381 #·BEGIN·fix·(7·/·70)·for·'sshd_enable_warning_banner'381 #·BEGIN·fix·(7·/·70)·for·'sshd_set_idle_timeout'
382 ###############################################################################382 ###############################################################################
383 (>&2·echo·"Remediating·rule·7/70:·'sshd_enable_warning_banner'")383 (>&2·echo·"Remediating·rule·7/70:·'sshd_set_idle_timeout'")
  
 384 sshd_idle_timeout_value="300"
384 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if385 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
385 #·it·does·not·exist.386 #·it·does·not·exist.
386 #387 #
387 #·Expects·arguments:388 #·Expects·arguments:
388 #389 #
389 #·config_file:»  »  Configuration·file·that·will·be·modified390 #·config_file:»  »  Configuration·file·that·will·be·modified
390 #·key:»  »  »  Configuration·option·to·change391 #·key:»  »  »  Configuration·option·to·change
Offset 457, 21 lines modifiedOffset 459, 21 lines modified
457 ··else459 ··else
458 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline460 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
459 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"461 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
460 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"462 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
461 ··fi463 ··fi
462 }464 }
  
463 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'465 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
464 #·END·fix·for·'sshd_enable_warning_banner'466 #·END·fix·for·'sshd_set_idle_timeout'
  
465 ###############################################################################467 ###############################################################################
466 #·BEGIN·fix·(8·/·70)·for·'sshd_do_not_permit_user_env'468 #·BEGIN·fix·(8·/·70)·for·'sshd_enable_warning_banner'
467 ###############################################################################469 ###############################################################################
468 (>&2·echo·"Remediating·rule·8/70:·'sshd_do_not_permit_user_env'")470 (>&2·echo·"Remediating·rule·8/70:·'sshd_enable_warning_banner'")
469 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if471 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
470 #·it·does·not·exist.472 #·it·does·not·exist.
471 #473 #
472 #·Expects·arguments:474 #·Expects·arguments:
473 #475 #
474 #·config_file:»  »  Configuration·file·that·will·be·modified476 #·config_file:»  »  Configuration·file·that·will·be·modified
475 #·key:»  »  »  Configuration·option·to·change477 #·key:»  »  »  Configuration·option·to·change
Offset 542, 16 lines modifiedOffset 544, 16 lines modified
542 ··else544 ··else
543 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline545 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
544 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"546 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
545 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"547 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
546 ··fi548 ··fi
547 }549 }
  
548 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'550 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'
549 #·END·fix·for·'sshd_do_not_permit_user_env'551 #·END·fix·for·'sshd_enable_warning_banner'
  
550 ###############################################################################552 ###############################################################################
551 #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2'553 #·BEGIN·fix·(9·/·70)·for·'sshd_allow_only_protocol2'
552 ###############################################################################554 ###############################################################################
553 (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'")555 (>&2·echo·"Remediating·rule·9/70:·'sshd_allow_only_protocol2'")
554 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if556 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
555 #·it·does·not·exist.557 #·it·does·not·exist.
Offset 716, 19 lines modifiedOffset 718, 17 lines modified
716 ··fi718 ··fi
717 }719 }
  
718 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'720 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreRhosts'·'yes'·'CCE-27377-1'·'%s·%s'
719 #·END·fix·for·'sshd_disable_rhosts'721 #·END·fix·for·'sshd_disable_rhosts'
  
720 ###############################################################################722 ###############################################################################
721 #·BEGIN·fix·(11·/·70)·for·'sshd_set_idle_timeout'723 #·BEGIN·fix·(11·/·70)·for·'sshd_do_not_permit_user_env'
722 ###############################################################################724 ###############################################################################
723 (>&2·echo·"Remediating·rule·11/70:·'sshd_set_idle_timeout'")725 (>&2·echo·"Remediating·rule·11/70:·'sshd_do_not_permit_user_env'")
  
724 sshd_idle_timeout_value="300" 
725 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if726 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
726 #·it·does·not·exist.727 #·it·does·not·exist.
727 #728 #
728 #·Expects·arguments:729 #·Expects·arguments:
729 #730 #
730 #·config_file:»  »  Configuration·file·that·will·be·modified731 #·config_file:»  »  Configuration·file·that·will·be·modified
731 #·key:»  »  »  Configuration·option·to·change732 #·key:»  »  »  Configuration·option·to·change
Offset 799, 16 lines modifiedOffset 799, 16 lines modified
799 ··else799 ··else
800 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline800 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
801 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"801 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
802 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"802 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
803 ··fi803 ··fi
804 }804 }
  
805 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'805 replace_or_append·'/etc/ssh/sshd_config'·'^PermitUserEnvironment'·'no'·'CCE-27363-1'·'%s·%s'
806 #·END·fix·for·'sshd_set_idle_timeout'806 #·END·fix·for·'sshd_do_not_permit_user_env'
  
807 ###############################################################################807 ###############################################################################
808 #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers'808 #·BEGIN·fix·(12·/·70)·for·'sshd_use_approved_ciphers'
809 ###############################################################################809 ###############################################################################
810 (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'")810 (>&2·echo·"Remediating·rule·12/70:·'sshd_use_approved_ciphers'")
811 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if811 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
812 #·it·does·not·exist.812 #·it·does·not·exist.
Offset 1502, 26 lines modifiedOffset 1502, 26 lines modified
1502 ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs1502 ··sed·-i·"s/PASS_MIN_DAYS.*/PASS_MIN_DAYS·····$var_accounts_minimum_age_login_defs/g"·/etc/login.defs
1503 if·!·[·$?·-eq·0·];·then1503 if·!·[·$?·-eq·0·];·then
1504 ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs1504 ····echo·"PASS_MIN_DAYS······$var_accounts_minimum_age_login_defs"·>>·/etc/login.defs
1505 fi1505 fi
1506 #·END·fix·for·'accounts_minimum_age_login_defs'1506 #·END·fix·for·'accounts_minimum_age_login_defs'
  
1507 ###############################################################################1507 ###############################################################################
1508 #·BEGIN·fix·(34·/·70)·for·'accounts_no_uid_except_zero'1508 #·BEGIN·fix·(34·/·70)·for·'no_shelllogin_for_systemaccounts'
1509 ###############################################################################1509 ###############################################################################
1510 (>&2·echo·"Remediating·rule·34/70:·'accounts_no_uid_except_zero'")1510 (>&2·echo·"Remediating·rule·34/70:·'no_shelllogin_for_systemaccounts'")
1511 awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l1511 #·FIX·FOR·THIS·RULE·IS·MISSING
1512 #·END·fix·for·'accounts_no_uid_except_zero'1512 #·END·fix·for·'no_shelllogin_for_systemaccounts'
  
1513 ###############################################################################1513 ###############################################################################
1514 #·BEGIN·fix·(35·/·70)·for·'no_shelllogin_for_systemaccounts'1514 #·BEGIN·fix·(35·/·70)·for·'accounts_no_uid_except_zero'
1515 ###############################################################################1515 ###############################################################################
1516 (>&2·echo·"Remediating·rule·35/70:·'no_shelllogin_for_systemaccounts'")1516 (>&2·echo·"Remediating·rule·35/70:·'accounts_no_uid_except_zero'")
1517 #·FIX·FOR·THIS·RULE·IS·MISSING1517 awk·-F:·'$3·==·0·&&·$1·!=·"root"·{·print·$1·}'·/etc/passwd·|·xargs·passwd·-l
1518 #·END·fix·for·'no_shelllogin_for_systemaccounts'1518 #·END·fix·for·'accounts_no_uid_except_zero'
  
1519 ###############################################################################1519 ###############################################################################
1520 #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed'1520 #·BEGIN·fix·(36·/·70)·for·'accounts_password_all_shadowed'
1521 ###############################################################################1521 ###############################################################################
1522 (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'")1522 (>&2·echo·"Remediating·rule·36/70:·'accounts_password_all_shadowed'")
1523 #·FIX·FOR·THIS·RULE·IS·MISSING1523 #·FIX·FOR·THIS·RULE·IS·MISSING
1524 #·END·fix·for·'accounts_password_all_shadowed'1524 #·END·fix·for·'accounts_password_all_shadowed'
Offset 2267, 37 lines modifiedOffset 2267, 37 lines modified
2267 ###############################################################################2267 ###############################################################################
2268 (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'")2268 (>&2·echo·"Remediating·rule·66/70:·'file_permissions_etc_passwd'")
  
2269 chmod·0644·/etc/passwd2269 chmod·0644·/etc/passwd
Max diff block lines reached; 1963/8920 bytes (22.01%) of diff not shown.
53.2 KB
./usr/share/scap-security-guide/bash/ssg-sl7-role-standard.sh
    
Offset 1476, 158 lines modifiedOffset 1476, 17 lines modified
1476 }1476 }
  
1477 fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules"1477 fix_audit_watch_rule·"auditctl"·"/usr/sbin/modprobe"·"x"·"modules"
1478 fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules"1478 fix_audit_watch_rule·"augenrules"·"/usr/sbin/modprobe"·"x"·"modules"
1479 #·END·fix·for·'audit_rules_kernel_module_loading'1479 #·END·fix·for·'audit_rules_kernel_module_loading'
  
1480 ###############################################################################1480 ###############################################################################
1481 #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_watch_localtime'1481 #·BEGIN·fix·(19·/·51)·for·'audit_rules_time_stime'
1482 ###############################################################################1482 ###############################################################################
1483 (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_watch_localtime'")1483 (>&2·echo·"Remediating·rule·19/51:·'audit_rules_time_stime'")
  
  
1484 #·Perform·the·remediation·for·both·possible·tools:·'auditctl'·and·'augenrules' 
1485 #·Function·to·fix·audit·file·system·object·watch·rule·for·given·path: 
1486 #·*·if·rule·exists,·also·verifies·the·-w·bits·match·the·requirements 
1487 #·*·if·rule·doesn't·exist·yet,·appends·expected·rule·form·to·$files_to_inspect 
1488 #···audit·rules·file,·depending·on·the·tool·which·was·used·to·load·audit·rules 
1489 # 
1490 #·Expects·four·arguments·(each·of·them·is·required)·in·the·form·of: 
1491 #·*·audit·tool»    »    »    »    tool·used·to·load·audit·rules, 
1492 #·»      »      »      »      »      either·'auditctl',·or·'augenrules' 
1493 #·*·path························» value·of·-w·audit·rule's·argument 
1494 #·*·required·access·bits········»   value·of·-p·audit·rule's·argument 
1495 #·*·key·························»  value·of·-k·audit·rule's·argument 
1496 # 
1497 #·Example·call: 
1498 # 
1499 #·······fix_audit_watch_rule·"auditctl"·"/etc/localtime"·"wa"·"audit_time_rules" 
1500 # 
1501 function·fix_audit_watch_rule·{ 
  
1502 #·Load·function·arguments·into·local·variables 
1503 local·tool="$1" 
1504 local·path="$2" 
1505 local·required_access_bits="$3" 
1506 local·key="$4" 
  
1507 #·Check·sanity·of·the·input 
1508 if·[·$#·-ne·"4"·] 
1509 then 
1510 »       echo·"Usage:·fix_audit_watch_rule·'tool'·'path'·'bits'·'key'" 
1511 »       echo·"Aborting." 
1512 »       exit·1 
1513 fi 
  
1514 #·Create·a·list·of·audit·*.rules·files·that·should·be·inspected·for·presence·and·correctness 
1515 #·of·a·particular·audit·rule.·The·scheme·is·as·follows: 
1516 # 
1517 #·----------------------------------------------------------------------------------------- 
1518 #·Tool·used·to·load·audit·rules»      |·Rule·already·defined»   |··Audit·rules·file·to·inspect»   ··| 
1519 #·----------------------------------------------------------------------------------------- 
1520 #»      auditctl»      »      |·····Doesn't·matter»|··/etc/audit/audit.rules» ··| 
1521 #·----------------------------------------------------------------------------------------- 
1522 #·»      augenrules»    »    |··········Yes»»|··/etc/audit/rules.d/*.rules»     ··| 
1523 #·»      augenrules»    »    |··········No» » |··/etc/audit/rules.d/$key.rules··| 
1524 #·----------------------------------------------------------------------------------------- 
1525 declare·-a·files_to_inspect 
  
1526 #·Check·sanity·of·the·specified·audit·tool 
1527 if·[·"$tool"·!=·'auditctl'·]·&&·[·"$tool"·!=·'augenrules'·] 
1528 then 
1529 »       echo·"Unknown·audit·rules·loading·tool:·$1.·Aborting." 
1530 »       echo·"Use·either·'auditctl'·or·'augenrules'!" 
1531 »       exit·1 
1532 #·If·the·audit·tool·is·'auditctl',·then·add·'/etc/audit/audit.rules' 
1533 #·into·the·list·of·files·to·be·inspected 
1534 elif·[·"$tool"·==·'auditctl'·] 
1535 then 
1536 »       files_to_inspect=("${files_to_inspect[@]}"·'/etc/audit/audit.rules') 
1537 #·If·the·audit·is·'augenrules',·then·check·if·rule·is·already·defined 
1538 #·If·rule·is·defined,·add·'/etc/audit/rules.d/*.rules'·to·list·of·files·for·inspection. 
1539 #·If·rule·isn't·defined,·add·'/etc/audit/rules.d/$key.rules'·to·list·of·files·for·inspection. 
1540 elif·[·"$tool"·==·'augenrules'·] 
1541 then 
1542 »       #·Case·when·particular·audit·rule·is·already·defined·in·some·of·/etc/audit/rules.d/*.rules·file 
1543 »       #·Get·pair·--·filepath·:·matching_row·into·@matches·array 
1544 »       IFS=$'\n'·matches=($(grep·-P·"[\s]*-w[\s]+$path"·/etc/audit/rules.d/*.rules)) 
1545 »       #·Reset·IFS·back·to·default 
1546 »       unset·IFS 
1547 »       #·For·each·of·the·matched·entries 
1548 »       for·match·in·"${matches[@]}" 
1549 »       do 
1550 »       »       #·Extract·filepath·from·the·match 
1551 »       »       rulesd_audit_file=$(echo·$match·|·cut·-f1·-d·':') 
1552 »       »       #·Append·that·path·into·list·of·files·for·inspection 
1553 »       »       files_to_inspect=("${files_to_inspect[@]}"·"$rulesd_audit_file") 
1554 »       done 
1555 »       #·Case·when·particular·audit·rule·isn't·defined·yet 
1556 »       if·[·${#files_to_inspect[@]}·-eq·"0"·] 
1557 »       then 
1558 »       »       #·Append·'/etc/audit/rules.d/$key.rules'·into·list·of·files·for·inspection 
1559 »       »       files_to_inspect="/etc/audit/rules.d/$key.rules" 
1560 »       »       #·If·the·$key.rules·file·doesn't·exist·yet,·create·it·with·correct·permissions 
1561 »       »       if·[·!·-e·"$files_to_inspect"·] 
1562 »       »       then 
1563 »       »       »       touch·"$files_to_inspect" 
1564 »       »       »       chmod·0640·"$files_to_inspect" 
1565 »       »       fi 
1566 »       fi 
1567 fi 
  
1568 #·Finally·perform·the·inspection·and·possible·subsequent·audit·rule 
1569 #·correction·for·each·of·the·files·previously·identified·for·inspection 
1570 for·audit_rules_file·in·"${files_to_inspect[@]}" 
1571 do 
  
1572 »       #·Check·if·audit·watch·file·system·object·rule·for·given·path·already·present 
1573 »       if·grep·-q·-P·--·"[\s]*-w[\s]+$path"·"$audit_rules_file" 
1574 »       then 
1575 »       »       #·Rule·is·found·=>·verify·yet·if·existing·rule·definition·contains 
1576 »       »       #·all·of·the·required·access·type·bits 
  
1577 »       »       #·Escape·slashes·in·path·for·use·in·sed·pattern·below 
1578 »       »       local·esc_path=${path//$'/'/$'\/'} 
1579 »       »       #·Define·BRE·whitespace·class·shortcut 
1580 »       »       local·sp="[[:space:]]" 
1581 »       »       #·Extract·current·permission·access·types·(e.g.·-p·[r|w|x|a]·values)·from·audit·rule 
1582 »       »       current_access_bits=$(sed·-ne·"s/$sp*-w$sp\+$esc_path$sp\+-p$sp\+\([rxwa]\{1,4\}\).*/\1/p"·"$audit_rules_file") 
1583 »       »       #·Split·required·access·bits·string·into·characters·array 
1584 »       »       #·(to·check·bit's·presence·for·one·bit·at·a·time) 
1585 »       »       for·access_bit·in·$(echo·"$required_access_bits"·|·grep·-o·.) 
1586 »       »       do 
1587 »       »       »       #·For·each·from·the·required·access·bits·(e.g.·'w',·'a')·check 
1588 »       »       »       #·if·they·are·already·present·in·current·access·bits·for·rule. 
1589 »       »       »       #·If·not,·append·that·bit·at·the·end 
1590 »       »       »       if·!·grep·-q·"$access_bit"·<<<·"$current_access_bits" 
1591 »       »       »       then 
Max diff block lines reached; 47569/54366 bytes (87.50%) of diff not shown.
126 KB
./usr/share/scap-security-guide/bash/ssg-sl7-role-stig-rhel7-disa.sh
    
Offset 496, 17 lines modifiedOffset 496, 17 lines modified
496 #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems'496 #·BEGIN·fix·(22·/·243)·for·'mount_option_nosuid_remote_filesystems'
497 ###############################################################################497 ###############################################################################
498 (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'")498 (>&2·echo·"Remediating·rule·22/243:·'mount_option_nosuid_remote_filesystems'")
499 #·FIX·FOR·THIS·RULE·IS·MISSING499 #·FIX·FOR·THIS·RULE·IS·MISSING
500 #·END·fix·for·'mount_option_nosuid_remote_filesystems'500 #·END·fix·for·'mount_option_nosuid_remote_filesystems'
  
501 ###############################################################################501 ###############################################################################
502 #·BEGIN·fix·(23·/·243)·for·'sshd_disable_user_known_hosts'502 #·BEGIN·fix·(23·/·243)·for·'sshd_enable_strictmodes'
503 ###############################################################################503 ###############################################################################
504 (>&2·echo·"Remediating·rule·23/243:·'sshd_disable_user_known_hosts'")504 (>&2·echo·"Remediating·rule·23/243:·'sshd_enable_strictmodes'")
505 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if505 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
506 #·it·does·not·exist.506 #·it·does·not·exist.
507 #507 #
508 #·Expects·arguments:508 #·Expects·arguments:
509 #509 #
510 #·config_file:»  »  Configuration·file·that·will·be·modified510 #·config_file:»  »  Configuration·file·that·will·be·modified
511 #·key:»  »  »  Configuration·option·to·change511 #·key:»  »  »  Configuration·option·to·change
Offset 577, 21 lines modifiedOffset 577, 21 lines modified
577 ··else577 ··else
578 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline578 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
579 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"579 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
580 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"580 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
581 ··fi581 ··fi
582 }582 }
  
583 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreUserKnownHosts'·'yes'·'CCE-80372-6'·'%s·%s'583 replace_or_append·'/etc/ssh/sshd_config'·'^StrictModes'·'yes'·'CCE-80222-3'·'%s·%s'
584 #·END·fix·for·'sshd_disable_user_known_hosts'584 #·END·fix·for·'sshd_enable_strictmodes'
  
585 ###############################################################################585 ###############################################################################
586 #·BEGIN·fix·(24·/·243)·for·'sshd_disable_empty_passwords'586 #·BEGIN·fix·(24·/·243)·for·'sshd_disable_user_known_hosts'
587 ###############################################################################587 ###############################################################################
588 (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_empty_passwords'")588 (>&2·echo·"Remediating·rule·24/243:·'sshd_disable_user_known_hosts'")
589 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if589 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
590 #·it·does·not·exist.590 #·it·does·not·exist.
591 #591 #
592 #·Expects·arguments:592 #·Expects·arguments:
593 #593 #
594 #·config_file:»  »  Configuration·file·that·will·be·modified594 #·config_file:»  »  Configuration·file·that·will·be·modified
595 #·key:»  »  »  Configuration·option·to·change595 #·key:»  »  »  Configuration·option·to·change
Offset 662, 21 lines modifiedOffset 662, 21 lines modified
662 ··else662 ··else
663 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline663 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
664 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"664 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
665 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"665 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
666 ··fi666 ··fi
667 }667 }
  
668 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'668 replace_or_append·'/etc/ssh/sshd_config'·'^IgnoreUserKnownHosts'·'yes'·'CCE-80372-6'·'%s·%s'
669 #·END·fix·for·'sshd_disable_empty_passwords'669 #·END·fix·for·'sshd_disable_user_known_hosts'
  
670 ###############################################################################670 ###############################################################################
671 #·BEGIN·fix·(25·/·243)·for·'sshd_set_keepalive'671 #·BEGIN·fix·(25·/·243)·for·'sshd_disable_empty_passwords'
672 ###############################################################################672 ###############################################################################
673 (>&2·echo·"Remediating·rule·25/243:·'sshd_set_keepalive'")673 (>&2·echo·"Remediating·rule·25/243:·'sshd_disable_empty_passwords'")
674 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if674 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
675 #·it·does·not·exist.675 #·it·does·not·exist.
676 #676 #
677 #·Expects·arguments:677 #·Expects·arguments:
678 #678 #
679 #·config_file:»  »  Configuration·file·that·will·be·modified679 #·config_file:»  »  Configuration·file·that·will·be·modified
680 #·key:»  »  »  Configuration·option·to·change680 #·key:»  »  »  Configuration·option·to·change
Offset 747, 21 lines modifiedOffset 747, 21 lines modified
747 ··else747 ··else
748 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline748 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
749 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"749 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
750 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"750 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
751 ··fi751 ··fi
752 }752 }
  
753 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'753 replace_or_append·'/etc/ssh/sshd_config'·'^PermitEmptyPasswords'·'no'·'CCE-27471-2'·'%s·%s'
754 #·END·fix·for·'sshd_set_keepalive'754 #·END·fix·for·'sshd_disable_empty_passwords'
  
755 ###############################################################################755 ###############################################################################
756 #·BEGIN·fix·(26·/·243)·for·'sshd_disable_rhosts_rsa'756 #·BEGIN·fix·(26·/·243)·for·'sshd_set_keepalive'
757 ###############################################################################757 ###############################################################################
758 (>&2·echo·"Remediating·rule·26/243:·'sshd_disable_rhosts_rsa'")758 (>&2·echo·"Remediating·rule·26/243:·'sshd_set_keepalive'")
759 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if759 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
760 #·it·does·not·exist.760 #·it·does·not·exist.
761 #761 #
762 #·Expects·arguments:762 #·Expects·arguments:
763 #763 #
764 #·config_file:»  »  Configuration·file·that·will·be·modified764 #·config_file:»  »  Configuration·file·that·will·be·modified
765 #·key:»  »  »  Configuration·option·to·change765 #·key:»  »  »  Configuration·option·to·change
Offset 832, 21 lines modifiedOffset 832, 23 lines modified
832 ··else832 ··else
833 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline833 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
834 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"834 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
835 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"835 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
836 ··fi836 ··fi
837 }837 }
  
838 replace_or_append·'/etc/ssh/sshd_config'·'^RhostsRSAAuthentication'·'no'·'CCE-80373-4'·'%s·%s'838 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveCountMax'·'0'·'CCE-27082-7'·'%s·%s'
839 #·END·fix·for·'sshd_disable_rhosts_rsa'839 #·END·fix·for·'sshd_set_keepalive'
  
840 ###############################################################################840 ###############################################################################
841 #·BEGIN·fix·(27·/·243)·for·'sshd_enable_warning_banner'841 #·BEGIN·fix·(27·/·243)·for·'sshd_set_idle_timeout'
842 ###############################################################################842 ###############################################################################
843 (>&2·echo·"Remediating·rule·27/243:·'sshd_enable_warning_banner'")843 (>&2·echo·"Remediating·rule·27/243:·'sshd_set_idle_timeout'")
  
 844 sshd_idle_timeout_value="600"
844 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if845 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
845 #·it·does·not·exist.846 #·it·does·not·exist.
846 #847 #
847 #·Expects·arguments:848 #·Expects·arguments:
848 #849 #
849 #·config_file:»  »  Configuration·file·that·will·be·modified850 #·config_file:»  »  Configuration·file·that·will·be·modified
850 #·key:»  »  »  Configuration·option·to·change851 #·key:»  »  »  Configuration·option·to·change
Offset 917, 23 lines modifiedOffset 919, 21 lines modified
917 ··else919 ··else
918 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline920 ····#·\n·is·precaution·for·case·where·file·ends·without·trailing·newline
919 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"921 ····printf·'\n#·Per·%s:·Set·%s·in·%s\n'·"$cce"·"$formatted_output"·"$config_file"·>>·"$config_file"
920 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"922 ····printf·'%s\n'·"$formatted_output"·>>·"$config_file"
921 ··fi923 ··fi
922 }924 }
  
923 replace_or_append·'/etc/ssh/sshd_config'·'^Banner'·'/etc/issue'·'CCE-27314-4'·'%s·%s'925 replace_or_append·'/etc/ssh/sshd_config'·'^ClientAliveInterval'·$sshd_idle_timeout_value·'CCE-27433-2'·'%s·%s'
924 #·END·fix·for·'sshd_enable_warning_banner'926 #·END·fix·for·'sshd_set_idle_timeout'
  
925 ###############################################################################927 ###############################################################################
926 #·BEGIN·fix·(28·/·243)·for·'sshd_use_approved_macs'928 #·BEGIN·fix·(28·/·243)·for·'sshd_enable_warning_banner'
927 ###############################################################################929 ###############################################################################
928 (>&2·echo·"Remediating·rule·28/243:·'sshd_use_approved_macs'")930 (>&2·echo·"Remediating·rule·28/243:·'sshd_enable_warning_banner'")
  
929 sshd_approved_macs="hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com" 
930 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if931 #·Function·to·replace·configuration·setting·in·config·file·or·add·the·configuration·setting·if
931 #·it·does·not·exist.932 #·it·does·not·exist.
932 #933 #
Max diff block lines reached; 122126/129181 bytes (94.54%) of diff not shown.
3.7 MB
./usr/share/xml/scap/ssg/content/ssg-centos6-ds.xml
3.7 MB
./usr/share/xml/scap/ssg/content/ssg-centos6-ds.xml
    
Offset 26, 21 lines modifiedOffset 26, 21 lines modified
26 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/>26 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/>
27 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/>27 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/>
28 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/>28 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/>
29 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/>29 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/>
30 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/>30 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/>
31 ····</ns0:checks>31 ····</ns0:checks>
32 ··</ns0:data-stream>32 ··</ns0:data-stream>
33 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-11T15:39:01">33 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-12T18:46:00">
34 ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">34 ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
35 ······<ns3:generator>35 ······<ns3:generator>
36 ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name>36 ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name>
37 ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version>37 ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version>
38 ········<ns5:schema_version>5.11</ns5:schema_version>38 ········<ns5:schema_version>5.11</ns5:schema_version>
39 ········<ns5:timestamp>2020-07-12T03:32:20</ns5:timestamp>39 ········<ns5:timestamp>2020-07-12T04:27:48</ns5:timestamp>
40 ······</ns3:generator>40 ······</ns3:generator>
41 ······<ns3:definitions>41 ······<ns3:definitions>
42 ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1">42 ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1">
43 ··········<ns3:metadata>43 ··········<ns3:metadata>
44 ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title>44 ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title>
45 ············<ns3:affected·family="unix">45 ············<ns3:affected·family="unix">
46 ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform>46 ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform>
Offset 27893, 87 lines modifiedOffset 27893, 99 lines modified
27893 ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>27893 ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>
27894 ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>27894 ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>
27895 ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>27895 ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>
27896 ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>27896 ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>
27897 ······</ns3:variables>27897 ······</ns3:variables>
27898 ····</ns3:oval_definitions>27898 ····</ns3:oval_definitions>
27899 ··</ns0:component>27899 ··</ns0:component>
27900 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-11T15:39:01">27900 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-12T18:46:00">
27901 ····<ns9:ocil>27901 ····<ns9:ocil>
27902 ······<ns9:generator>27902 ······<ns9:generator>
27903 ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name>27903 ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name>
27904 ········<ns9:product_version>ssg:·0.1.39</ns9:product_version>27904 ········<ns9:product_version>ssg:·0.1.39</ns9:product_version>
27905 ········<ns9:schema_version>2.0</ns9:schema_version>27905 ········<ns9:schema_version>2.0</ns9:schema_version>
27906 ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp>27906 ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp>
27907 ······</ns9:generator>27907 ······</ns9:generator>
27908 ······<ns9:questionnaires>27908 ······<ns9:questionnaires>
27909 ········<ns9:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">27909 ········<ns9:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1">
27910 ··········<ns9:title>Disable·Samba</ns9:title>27910 ··········<ns9:title>Enable·Logging·of·All·FTP·Transactions</ns9:title>
27911 ··········<ns9:actions> 
27912 ············<ns9:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns9:test_action_ref> 
27913 ··········</ns9:actions> 
27914 ········</ns9:questionnaire> 
27915 ········<ns9:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> 
27916 ··········<ns9:title>Uninstall·samba·Package</ns9:title> 
27917 ··········<ns9:actions>27911 ··········<ns9:actions>
27918 ············<ns9:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns9:test_action_ref>27912 ············<ns9:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns9:test_action_ref>
27919 ··········</ns9:actions>27913 ··········</ns9:actions>
27920 ········</ns9:questionnaire>27914 ········</ns9:questionnaire>
27921 ········<ns9:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">27915 ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1">
27922 ··········<ns9:title>Install·the·Samba·Common·Package</ns9:title>27916 ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title>
27923 ··········<ns9:actions>27917 ··········<ns9:actions>
27924 ············<ns9:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns9:test_action_ref>27918 ············<ns9:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns9:test_action_ref>
27925 ··········</ns9:actions>27919 ··········</ns9:actions>
27926 ········</ns9:questionnaire>27920 ········</ns9:questionnaire>
27927 ········<ns9:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1">27921 ········<ns9:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1">
27928 ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns9:title>27922 ··········<ns9:title>Disable·vsftpd·Service</ns9:title>
27929 ··········<ns9:actions>27923 ··········<ns9:actions>
27930 ············<ns9:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns9:test_action_ref>27924 ············<ns9:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns9:test_action_ref>
27931 ··········</ns9:actions>27925 ··········</ns9:actions>
27932 ········</ns9:questionnaire>27926 ········</ns9:questionnaire>
27933 ········<ns9:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1">27927 ········<ns9:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1">
27934 ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns9:title>27928 ··········<ns9:title>Uninstall·vsftpd·Package</ns9:title>
27935 ··········<ns9:actions>27929 ··········<ns9:actions>
27936 ············<ns9:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns9:test_action_ref>27930 ············<ns9:test_action_ref>ocil:ssg-package_vsftpd_removed_action:testaction:1</ns9:test_action_ref>
27937 ··········</ns9:actions>27931 ··········</ns9:actions>
27938 ········</ns9:questionnaire>27932 ········</ns9:questionnaire>
27939 ········<ns9:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1">27933 ········<ns9:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1">
27940 ··········<ns9:title>Disable·httpd·Service</ns9:title>27934 ··········<ns9:title>Disable·httpd·Service</ns9:title>
27941 ··········<ns9:actions>27935 ··········<ns9:actions>
27942 ············<ns9:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns9:test_action_ref>27936 ············<ns9:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns9:test_action_ref>
27943 ··········</ns9:actions>27937 ··········</ns9:actions>
27944 ········</ns9:questionnaire>27938 ········</ns9:questionnaire>
27945 ········<ns9:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1">27939 ········<ns9:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1">
27946 ··········<ns9:title>Uninstall·httpd·Package</ns9:title>27940 ··········<ns9:title>Uninstall·httpd·Package</ns9:title>
27947 ··········<ns9:actions>27941 ··········<ns9:actions>
27948 ············<ns9:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns9:test_action_ref>27942 ············<ns9:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns9:test_action_ref>
27949 ··········</ns9:actions>27943 ··········</ns9:actions>
27950 ········</ns9:questionnaire>27944 ········</ns9:questionnaire>
27951 ········<ns9:questionnaire·id="ocil:ssg-postfix_client_configure_mail_alias_ocil:questionnaire:1">27945 ········<ns9:questionnaire·id="ocil:ssg-service_named_disabled_ocil:questionnaire:1">
27952 ··········<ns9:title>Configure·System·to·Forward·All·Mail·For·The·Root·Account</ns9:title>27946 ··········<ns9:title>Disable·DNS·Server</ns9:title>
27953 ··········<ns9:actions>27947 ··········<ns9:actions>
27954 ············<ns9:test_action_ref>ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1</ns9:test_action_ref>27948 ············<ns9:test_action_ref>ocil:ssg-service_named_disabled_action:testaction:1</ns9:test_action_ref>
27955 ··········</ns9:actions>27949 ··········</ns9:actions>
27956 ········</ns9:questionnaire>27950 ········</ns9:questionnaire>
27957 ········<ns9:questionnaire·id="ocil:ssg-postfix_network_listening_disabled_ocil:questionnaire:1">27951 ········<ns9:questionnaire·id="ocil:ssg-package_bind_removed_ocil:questionnaire:1">
27958 ··········<ns9:title>Disable·Postfix·Network·Listening</ns9:title>27952 ··········<ns9:title>Uninstall·bind·Package</ns9:title>
27959 ··········<ns9:actions>27953 ··········<ns9:actions>
27960 ············<ns9:test_action_ref>ocil:ssg-postfix_network_listening_disabled_action:testaction:1</ns9:test_action_ref>27954 ············<ns9:test_action_ref>ocil:ssg-package_bind_removed_action:testaction:1</ns9:test_action_ref>
27961 ··········</ns9:actions>27955 ··········</ns9:actions>
27962 ········</ns9:questionnaire>27956 ········</ns9:questionnaire>
27963 ········<ns9:questionnaire·id="ocil:ssg-package_sendmail_removed_ocil:questionnaire:1">27957 ········<ns9:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">
27964 ··········<ns9:title>Uninstall·Sendmail·Package</ns9:title>27958 ··········<ns9:title>Disable·Samba</ns9:title>
27965 ··········<ns9:actions>27959 ··········<ns9:actions>
27966 ············<ns9:test_action_ref>ocil:ssg-package_sendmail_removed_action:testaction:1</ns9:test_action_ref>27960 ············<ns9:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns9:test_action_ref>
27967 ··········</ns9:actions>27961 ··········</ns9:actions>
27968 ········</ns9:questionnaire>27962 ········</ns9:questionnaire>
27969 ········<ns9:questionnaire·id="ocil:ssg-service_postfix_enabled_ocil:questionnaire:1">27963 ········<ns9:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1">
27970 ··········<ns9:title>Enable·Postfix·Service</ns9:title>27964 ··········<ns9:title>Uninstall·samba·Package</ns9:title>
27971 ··········<ns9:actions>27965 ··········<ns9:actions>
27972 ············<ns9:test_action_ref>ocil:ssg-service_postfix_enabled_action:testaction:1</ns9:test_action_ref>27966 ············<ns9:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns9:test_action_ref>
 27967 ··········</ns9:actions>
 27968 ········</ns9:questionnaire>
 27969 ········<ns9:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
 27970 ··········<ns9:title>Install·the·Samba·Common·Package</ns9:title>
 27971 ··········<ns9:actions>
 27972 ············<ns9:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns9:test_action_ref>
 27973 ··········</ns9:actions>
 27974 ········</ns9:questionnaire>
 27975 ········<ns9:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1">
 27976 ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns9:title>
 27977 ··········<ns9:actions>
 27978 ············<ns9:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns9:test_action_ref>
 27979 ··········</ns9:actions>
 27980 ········</ns9:questionnaire>
 27981 ········<ns9:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1">
 27982 ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns9:title>
 27983 ··········<ns9:actions>
 27984 ············<ns9:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns9:test_action_ref>
27973 ··········</ns9:actions>27985 ··········</ns9:actions>
27974 ········</ns9:questionnaire>27986 ········</ns9:questionnaire>
27975 ········<ns9:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1">27987 ········<ns9:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1">
27976 ··········<ns9:title>Configure·SSSD's·Memory·Cache·to·Expire</ns9:title>27988 ··········<ns9:title>Configure·SSSD's·Memory·Cache·to·Expire</ns9:title>
27977 ··········<ns9:actions>27989 ··········<ns9:actions>
27978 ············<ns9:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns9:test_action_ref>27990 ············<ns9:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns9:test_action_ref>
27979 ··········</ns9:actions>27991 ··········</ns9:actions>
Max diff block lines reached; 3871933/3882742 bytes (99.72%) of diff not shown.
1.68 MB
./usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
1.68 MB
./usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml
    
Offset 213, 1325 lines modifiedOffset 213, 14 lines modified
213 ····<dc:contributor>Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>213 ····<dc:contributor>Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>
214 ····<dc:contributor>Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>214 ····<dc:contributor>Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
215 ····<dc:contributor>Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>215 ····<dc:contributor>Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>
216 ····<dc:contributor>Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>216 ····<dc:contributor>Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>
217 ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>217 ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
218 ··</ns0:metadata>218 ··</ns0:metadata>
219 ··<ns0:model·system="urn:xccdf:scoring:default"/>219 ··<ns0:model·system="urn:xccdf:scoring:default"/>
220 ··<ns0:Profile·id="usgcb-rhel6-server"> 
221 ····<ns0:title·override="true"·xml:lang="en-US">United·States·Government·Configuration·Baseline·(USGCB)</ns0:title> 
222 ····<ns0:description·override="true"·xml:lang="en-US">This·profile·is·a·working·draft·for·a·USGCB·submission·against 
223 RHEL6·Server.</ns0:description> 
224 ····<ns0:select·idref="kernel_disable_entropy_contribution_for_solid_state_drives"·selected="true"/> 
225 ····<ns0:select·idref="partition_for_tmp"·selected="true"/> 
226 ····<ns0:select·idref="partition_for_var"·selected="true"/> 
227 ····<ns0:select·idref="partition_for_var_log"·selected="true"/> 
228 ····<ns0:select·idref="partition_for_var_log_audit"·selected="true"/> 
229 ····<ns0:select·idref="partition_for_home"·selected="true"/> 
230 ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> 
231 ····<ns0:select·idref="service_rhnsd_disabled"·selected="true"/> 
232 ····<ns0:select·idref="security_patches_up_to_date"·selected="true"/> 
233 ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> 
234 ····<ns0:select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> 
235 ····<ns0:select·idref="package_aide_installed"·selected="true"/> 
236 ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> 
237 ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> 
238 ····<ns0:select·idref="mount_option_nodev_nonroot_local_partitions"·selected="true"/> 
239 ····<ns0:select·idref="mount_option_nodev_removable_partitions"·selected="true"/> 
240 ····<ns0:select·idref="mount_option_noexec_removable_partitions"·selected="true"/> 
241 ····<ns0:select·idref="mount_option_nosuid_removable_partitions"·selected="true"/> 
242 ····<ns0:select·idref="mount_option_tmp_nodev"·selected="true"/> 
243 ····<ns0:select·idref="mount_option_tmp_nosuid"·selected="true"/> 
244 ····<ns0:select·idref="mount_option_tmp_noexec"·selected="true"/> 
245 ····<ns0:select·idref="mount_option_dev_shm_nodev"·selected="true"/> 
246 ····<ns0:select·idref="mount_option_dev_shm_nosuid"·selected="true"/> 
247 ····<ns0:select·idref="mount_option_dev_shm_noexec"·selected="true"/> 
248 ····<ns0:select·idref="mount_option_var_tmp_bind"·selected="true"/> 
249 ····<ns0:select·idref="kernel_module_cramfs_disabled"·selected="true"/> 
250 ····<ns0:select·idref="kernel_module_freevxfs_disabled"·selected="true"/> 
251 ····<ns0:select·idref="kernel_module_hfs_disabled"·selected="true"/> 
252 ····<ns0:select·idref="kernel_module_hfsplus_disabled"·selected="true"/> 
253 ····<ns0:select·idref="kernel_module_jffs2_disabled"·selected="true"/> 
254 ····<ns0:select·idref="kernel_module_squashfs_disabled"·selected="true"/> 
255 ····<ns0:select·idref="kernel_module_udf_disabled"·selected="true"/> 
256 ····<ns0:select·idref="file_permissions_etc_gshadow"·selected="true"/> 
257 ····<ns0:select·idref="file_owner_etc_gshadow"·selected="true"/> 
258 ····<ns0:select·idref="file_groupowner_etc_gshadow"·selected="true"/> 
259 ····<ns0:select·idref="file_permissions_etc_shadow"·selected="true"/> 
260 ····<ns0:select·idref="userowner_shadow_file"·selected="true"/> 
261 ····<ns0:select·idref="groupowner_shadow_file"·selected="true"/> 
262 ····<ns0:select·idref="file_permissions_etc_group"·selected="true"/> 
263 ····<ns0:select·idref="file_owner_etc_group"·selected="true"/> 
264 ····<ns0:select·idref="file_groupowner_etc_group"·selected="true"/> 
265 ····<ns0:select·idref="file_permissions_etc_passwd"·selected="true"/> 
266 ····<ns0:select·idref="file_owner_etc_passwd"·selected="true"/> 
267 ····<ns0:select·idref="file_groupowner_etc_passwd"·selected="true"/> 
268 ····<ns0:select·idref="dir_perms_world_writable_sticky_bits"·selected="true"/> 
269 ····<ns0:select·idref="file_permissions_unauthorized_world_writable"·selected="true"/> 
270 ····<ns0:select·idref="file_permissions_unauthorized_sgid"·selected="true"/> 
271 ····<ns0:select·idref="file_permissions_unauthorized_suid"·selected="true"/> 
272 ····<ns0:select·idref="no_files_unowned_by_user"·selected="true"/> 
273 ····<ns0:select·idref="file_permissions_ungroupowned"·selected="true"/> 
274 ····<ns0:select·idref="dir_perms_world_writable_system_owned"·selected="true"/> 
275 ····<ns0:select·idref="umask_for_daemons"·selected="true"/> 
276 ····<ns0:select·idref="sysctl_fs_suid_dumpable"·selected="true"/> 
277 ····<ns0:select·idref="disable_users_coredumps"·selected="true"/> 
278 ····<ns0:select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> 
279 ····<ns0:select·idref="sysctl_kernel_exec_shield"·selected="true"/> 
280 ····<ns0:select·idref="install_PAE_kernel_on_x86-32"·selected="true"/> 
281 ····<ns0:select·idref="securetty_root_login_console_only"·selected="true"/> 
282 ····<ns0:select·idref="restrict_serial_port_logins"·selected="true"/> 
283 ····<ns0:select·idref="no_empty_passwords"·selected="true"/> 
284 ····<ns0:select·idref="accounts_password_all_shadowed"·selected="true"/> 
285 ····<ns0:select·idref="accounts_no_uid_except_zero"·selected="true"/> 
286 ····<ns0:select·idref="accounts_password_warn_age_login_defs"·selected="true"/> 
287 ····<ns0:select·idref="accounts_maximum_age_login_defs"·selected="true"/> 
288 ····<ns0:select·idref="accounts_password_minlen_login_defs"·selected="true"/> 
289 ····<ns0:select·idref="accounts_password_pam_retry"·selected="true"/> 
290 ····<ns0:select·idref="accounts_password_pam_dcredit"·selected="true"/> 
291 ····<ns0:select·idref="accounts_password_pam_ucredit"·selected="true"/> 
292 ····<ns0:select·idref="accounts_password_pam_lcredit"·selected="true"/> 
293 ····<ns0:select·idref="accounts_password_pam_ocredit"·selected="true"/> 
294 ····<ns0:select·idref="accounts_password_pam_difok"·selected="true"/> 
295 ····<ns0:select·idref="accounts_passwords_pam_faillock_deny"·selected="true"/> 
296 ····<ns0:select·idref="set_password_hashing_algorithm_systemauth"·selected="true"/> 
297 ····<ns0:select·idref="set_password_hashing_algorithm_logindefs"·selected="true"/> 
298 ····<ns0:select·idref="accounts_password_pam_unix_remember"·selected="true"/> 
299 ····<ns0:select·idref="root_path_no_dot"·selected="true"/> 
300 ····<ns0:select·idref="accounts_root_path_dirs_no_write"·selected="true"/> 
301 ····<ns0:select·idref="file_permissions_home_dirs"·selected="true"/> 
302 ····<ns0:select·idref="accounts_umask_etc_bashrc"·selected="true"/> 
303 ····<ns0:select·idref="accounts_umask_etc_csh_cshrc"·selected="true"/> 
304 ····<ns0:select·idref="accounts_umask_etc_profile"·selected="true"/> 
305 ····<ns0:select·idref="accounts_umask_etc_login_defs"·selected="true"/> 
306 ····<ns0:select·idref="file_user_owner_grub_conf"·selected="true"/> 
307 ····<ns0:select·idref="file_group_owner_grub_conf"·selected="true"/> 
308 ····<ns0:select·idref="file_permissions_grub_conf"·selected="true"/> 
309 ····<ns0:select·idref="bootloader_password"·selected="true"/> 
310 ····<ns0:select·idref="disable_interactive_boot"·selected="true"/> 
311 ····<ns0:select·idref="gconf_gnome_screensaver_idle_delay"·selected="true"/> 
312 ····<ns0:select·idref="gconf_gnome_screensaver_idle_activation_enabled"·selected="true"/> 
313 ····<ns0:select·idref="gconf_gnome_screensaver_lock_enabled"·selected="true"/> 
314 ····<ns0:select·idref="gconf_gnome_screensaver_mode_blank"·selected="true"/> 
315 ····<ns0:select·idref="banner_etc_issue"·selected="true"/> 
316 ····<ns0:select·idref="selinux_state"·selected="true"/> 
317 ····<ns0:select·idref="selinux_policytype"·selected="true"/> 
318 ····<ns0:select·idref="enable_selinux_bootloader"·selected="true"/> 
319 ····<ns0:select·idref="selinux_confinement_of_daemons"·selected="true"/> 
320 ····<ns0:select·idref="selinux_all_devicefiles_labeled"·selected="true"/> 
321 ····<ns0:select·idref="sysctl_net_ipv4_ip_forward"·selected="true"/> 
322 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_send_redirects"·selected="true"/> 
323 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_send_redirects"·selected="true"/> 
324 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_secure_redirects"·selected="true"/> 
325 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_accept_redirects"·selected="true"/> 
326 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_accept_source_route"·selected="true"/> 
327 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_secure_redirects"·selected="true"/> 
328 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_accept_redirects"·selected="true"/> 
329 ····<ns0:select·idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses"·selected="true"/> 
330 ····<ns0:select·idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts"·selected="true"/> 
331 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_log_martians"·selected="true"/> 
332 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_rp_filter"·selected="true"/> 
333 ····<ns0:select·idref="sysctl_net_ipv4_tcp_syncookies"·selected="true"/> 
334 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_rp_filter"·selected="true"/> 
335 ····<ns0:select·idref="wireless_disable_in_bios"·selected="true"/> 
336 ····<ns0:select·idref="service_bluetooth_disabled"·selected="true"/> 
337 ····<ns0:select·idref="network_ipv6_disable_rpc"·selected="true"/> 
338 ····<ns0:select·idref="sysctl_net_ipv6_conf_default_accept_ra"·selected="true"/> 
339 ····<ns0:select·idref="sysctl_net_ipv6_conf_default_accept_redirects"·selected="true"/> 
Max diff block lines reached; 1662681/1756404 bytes (94.66%) of diff not shown.
5.28 MB
./usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
5.28 MB
./usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
    
Offset 26, 21 lines modifiedOffset 26, 21 lines modified
26 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/>26 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/>
27 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/>27 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/>
28 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/>28 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/>
29 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/>29 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/>
30 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/>30 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/>
31 ····</ns0:checks>31 ····</ns0:checks>
32 ··</ns0:data-stream>32 ··</ns0:data-stream>
33 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-11T15:39:02">33 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-12T18:46:05">
34 ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">34 ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
35 ······<ns3:generator>35 ······<ns3:generator>
36 ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name>36 ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name>
37 ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version>37 ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version>
38 ········<ns5:schema_version>5.11</ns5:schema_version>38 ········<ns5:schema_version>5.11</ns5:schema_version>
39 ········<ns5:timestamp>2020-07-12T03:33:36</ns5:timestamp>39 ········<ns5:timestamp>2020-07-12T04:32:03</ns5:timestamp>
40 ······</ns3:generator>40 ······</ns3:generator>
41 ······<ns3:definitions>41 ······<ns3:definitions>
42 ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1">42 ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1">
43 ··········<ns3:metadata>43 ··········<ns3:metadata>
44 ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title>44 ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title>
45 ············<ns3:affected·family="unix">45 ············<ns3:affected·family="unix">
46 ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform>46 ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform>
Offset 31871, 29 lines modifiedOffset 31871, 23 lines modified
31871 ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>31871 ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>
31872 ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>31872 ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>
31873 ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>31873 ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>
31874 ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>31874 ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>
31875 ······</ns3:variables>31875 ······</ns3:variables>
31876 ····</ns3:oval_definitions>31876 ····</ns3:oval_definitions>
31877 ··</ns0:component>31877 ··</ns0:component>
31878 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-11T15:39:03">31878 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-12T18:46:05">
31879 ····<ns9:ocil>31879 ····<ns9:ocil>
31880 ······<ns9:generator>31880 ······<ns9:generator>
31881 ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name>31881 ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name>
31882 ········<ns9:product_version>ssg:·0.1.39</ns9:product_version>31882 ········<ns9:product_version>ssg:·0.1.39</ns9:product_version>
31883 ········<ns9:schema_version>2.0</ns9:schema_version>31883 ········<ns9:schema_version>2.0</ns9:schema_version>
31884 ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp>31884 ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp>
31885 ······</ns9:generator>31885 ······</ns9:generator>
31886 ······<ns9:questionnaires>31886 ······<ns9:questionnaires>
31887 ········<ns9:questionnaire·id="ocil:ssg-service_docker_enabled_ocil:questionnaire:1"> 
31888 ··········<ns9:title>Enable·the·Docker·service</ns9:title> 
31889 ··········<ns9:actions> 
31890 ············<ns9:test_action_ref>ocil:ssg-service_docker_enabled_action:testaction:1</ns9:test_action_ref> 
31891 ··········</ns9:actions> 
31892 ········</ns9:questionnaire> 
31893 ········<ns9:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1">31887 ········<ns9:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1">
31894 ··········<ns9:title>Uninstall·rsh·Package</ns9:title>31888 ··········<ns9:title>Uninstall·rsh·Package</ns9:title>
31895 ··········<ns9:actions>31889 ··········<ns9:actions>
31896 ············<ns9:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns9:test_action_ref>31890 ············<ns9:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns9:test_action_ref>
31897 ··········</ns9:actions>31891 ··········</ns9:actions>
31898 ········</ns9:questionnaire>31892 ········</ns9:questionnaire>
31899 ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1">31893 ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1">
Offset 31952, 26 lines modifiedOffset 31946, 26 lines modified
31952 ········</ns9:questionnaire>31946 ········</ns9:questionnaire>
31953 ········<ns9:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1">31947 ········<ns9:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1">
31954 ··········<ns9:title>Uninstall·telnet-server·Package</ns9:title>31948 ··········<ns9:title>Uninstall·telnet-server·Package</ns9:title>
31955 ··········<ns9:actions>31949 ··········<ns9:actions>
31956 ············<ns9:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns9:test_action_ref>31950 ············<ns9:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns9:test_action_ref>
31957 ··········</ns9:actions>31951 ··········</ns9:actions>
31958 ········</ns9:questionnaire>31952 ········</ns9:questionnaire>
31959 ········<ns9:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> 
31960 ··········<ns9:title>Disable·ypbind·Service</ns9:title> 
31961 ··········<ns9:actions> 
31962 ············<ns9:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns9:test_action_ref> 
31963 ··········</ns9:actions> 
31964 ········</ns9:questionnaire> 
31965 ········<ns9:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1">31953 ········<ns9:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1">
31966 ··········<ns9:title>Remove·NIS·Client</ns9:title>31954 ··········<ns9:title>Remove·NIS·Client</ns9:title>
31967 ··········<ns9:actions>31955 ··········<ns9:actions>
31968 ············<ns9:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns9:test_action_ref>31956 ············<ns9:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns9:test_action_ref>
31969 ··········</ns9:actions>31957 ··········</ns9:actions>
31970 ········</ns9:questionnaire>31958 ········</ns9:questionnaire>
 31959 ········<ns9:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1">
 31960 ··········<ns9:title>Disable·ypbind·Service</ns9:title>
 31961 ··········<ns9:actions>
 31962 ············<ns9:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns9:test_action_ref>
 31963 ··········</ns9:actions>
 31964 ········</ns9:questionnaire>
31971 ········<ns9:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">31965 ········<ns9:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
31972 ··········<ns9:title>Uninstall·ypserv·Package</ns9:title>31966 ··········<ns9:title>Uninstall·ypserv·Package</ns9:title>
31973 ··········<ns9:actions>31967 ··········<ns9:actions>
31974 ············<ns9:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns9:test_action_ref>31968 ············<ns9:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns9:test_action_ref>
31975 ··········</ns9:actions>31969 ··········</ns9:actions>
31976 ········</ns9:questionnaire>31970 ········</ns9:questionnaire>
31977 ········<ns9:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1">31971 ········<ns9:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1">
Offset 31994, 26 lines modifiedOffset 31988, 26 lines modified
31994 ········</ns9:questionnaire>31988 ········</ns9:questionnaire>
31995 ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">31989 ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
31996 ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title>31990 ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title>
31997 ··········<ns9:actions>31991 ··········<ns9:actions>
31998 ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref>31992 ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref>
31999 ··········</ns9:actions>31993 ··········</ns9:actions>
32000 ········</ns9:questionnaire>31994 ········</ns9:questionnaire>
32001 ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> 
32002 ··········<ns9:title>Disable·xinetd·Service</ns9:title> 
32003 ··········<ns9:actions> 
32004 ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> 
32005 ··········</ns9:actions> 
32006 ········</ns9:questionnaire> 
32007 ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1">31995 ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1">
32008 ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title>31996 ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title>
32009 ··········<ns9:actions>31997 ··········<ns9:actions>
32010 ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref>31998 ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref>
32011 ··········</ns9:actions>31999 ··········</ns9:actions>
32012 ········</ns9:questionnaire>32000 ········</ns9:questionnaire>
 32001 ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1">
 32002 ··········<ns9:title>Disable·xinetd·Service</ns9:title>
 32003 ··········<ns9:actions>
 32004 ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref>
 32005 ··········</ns9:actions>
 32006 ········</ns9:questionnaire>
32013 ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1">32007 ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1">
32014 ··········<ns9:title>Uninstall·xinetd·Package</ns9:title>32008 ··········<ns9:title>Uninstall·xinetd·Package</ns9:title>
32015 ··········<ns9:actions>32009 ··········<ns9:actions>
32016 ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref>32010 ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref>
32017 ··········</ns9:actions>32011 ··········</ns9:actions>
32018 ········</ns9:questionnaire>32012 ········</ns9:questionnaire>
32019 ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">32013 ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
Offset 32024, 26 lines modifiedOffset 32018, 38 lines modified
32024 ········</ns9:questionnaire>32018 ········</ns9:questionnaire>
32025 ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1">32019 ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1">
32026 ··········<ns9:title>Uninstall·talk-server·Package</ns9:title>32020 ··········<ns9:title>Uninstall·talk-server·Package</ns9:title>
32027 ··········<ns9:actions>32021 ··········<ns9:actions>
32028 ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref>32022 ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref>
32029 ··········</ns9:actions>32023 ··········</ns9:actions>
32030 ········</ns9:questionnaire>32024 ········</ns9:questionnaire>
32031 ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1">32025 ········<ns9:questionnaire·id="ocil:ssg-service_dovecot_disabled_ocil:questionnaire:1">
32032 ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title>32026 ··········<ns9:title>Disable·Dovecot·Service</ns9:title>
Max diff block lines reached; 5529958/5538602 bytes (99.84%) of diff not shown.
1.9 MB
./usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
1.9 MB
./usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
    
Offset 213, 348 lines modifiedOffset 213, 14 lines modified
213 ····<dc:contributor>Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>213 ····<dc:contributor>Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>
214 ····<dc:contributor>Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>214 ····<dc:contributor>Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
215 ····<dc:contributor>Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>215 ····<dc:contributor>Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>
216 ····<dc:contributor>Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>216 ····<dc:contributor>Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>
217 ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>217 ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
218 ··</ns0:metadata>218 ··</ns0:metadata>
219 ··<ns0:model·system="urn:xccdf:scoring:default"/>219 ··<ns0:model·system="urn:xccdf:scoring:default"/>
220 ··<ns0:Profile·id="hipaa"> 
221 ····<ns0:title·override="true"·xml:lang="en-US">Health·Insurance·Portability·and·Accountability·Act·(HIPAA)</ns0:title> 
222 ····<ns0:description·override="true"·xml:lang="en-US">The·HIPAA·Security·Rule·establishes·U.S.·national·standards·to·protect·individuals’ 
223 electronic·personal·health·information·that·is·created,·received,·used,·or 
224 maintained·by·a·covered·entity.·The·Security·Rule·requires·appropriate 
225 administrative,·physical·and·technical·safeguards·to·ensure·the 
226 confidentiality,·integrity,·and·security·of·electronic·protected·health 
227 information. 
  
228 This·profile·configures·Red·Hat·Enterprise·Linux·7·to·the·HIPAA·Security 
229 Rule·identified·for·securing·of·electronic·protected·health·information.</ns0:description> 
230 ····<ns0:select·idref="bootloader_password"·selected="true"/> 
231 ····<ns0:select·idref="bootloader_uefi_password"·selected="true"/> 
232 ····<ns0:select·idref="file_group_owner_grub2_cfg"·selected="true"/> 
233 ····<ns0:select·idref="file_permissions_grub2_cfg"·selected="true"/> 
234 ····<ns0:select·idref="file_user_owner_grub2_cfg"·selected="true"/> 
235 ····<ns0:select·idref="disable_interactive_boot"·selected="true"/> 
236 ····<ns0:select·idref="no_direct_root_logins"·selected="true"/> 
237 ····<ns0:select·idref="no_empty_passwords"·selected="true"/> 
238 ····<ns0:select·idref="require_singleuser_auth"·selected="true"/> 
239 ····<ns0:select·idref="restrict_serial_port_logins"·selected="true"/> 
240 ····<ns0:select·idref="securetty_root_login_console_only"·selected="true"/> 
241 ····<ns0:select·idref="service_debug-shell_disabled"·selected="true"/> 
242 ····<ns0:select·idref="disable_ctrlaltdel_reboot"·selected="true"/> 
243 ····<ns0:select·idref="disable_ctrlaltdel_burstaction"·selected="true"/> 
244 ····<ns0:select·idref="dconf_gnome_remote_access_credential_prompt"·selected="true"/> 
245 ····<ns0:select·idref="dconf_gnome_remote_access_encryption"·selected="true"/> 
246 ····<ns0:select·idref="sshd_disable_empty_passwords"·selected="true"/> 
247 ····<ns0:select·idref="sshd_disable_root_login"·selected="true"/> 
248 ····<ns0:select·idref="libreswan_approved_tunnels"·selected="true"/> 
249 ····<ns0:select·idref="no_rsh_trust_files"·selected="true"/> 
250 ····<ns0:select·idref="package_rsh_removed"·selected="true"/> 
251 ····<ns0:select·idref="package_rsh-server_removed"·selected="true"/> 
252 ····<ns0:select·idref="package_talk_removed"·selected="true"/> 
253 ····<ns0:select·idref="package_talk-server_removed"·selected="true"/> 
254 ····<ns0:select·idref="package_telnet_removed"·selected="true"/> 
255 ····<ns0:select·idref="package_telnet-server_removed"·selected="true"/> 
256 ····<ns0:select·idref="package_xinetd_removed"·selected="true"/> 
257 ····<ns0:select·idref="package_ypbind_removed"·selected="true"/> 
258 ····<ns0:select·idref="package_ypserv_removed"·selected="true"/> 
259 ····<ns0:select·idref="service_crond_enabled"·selected="true"/> 
260 ····<ns0:select·idref="service_rexec_disabled"·selected="true"/> 
261 ····<ns0:select·idref="service_rlogin_disabled"·selected="true"/> 
262 ····<ns0:select·idref="service_rsh_disabled"·selected="true"/> 
263 ····<ns0:select·idref="service_telnet_disabled"·selected="true"/> 
264 ····<ns0:select·idref="service_xinetd_disabled"·selected="true"/> 
265 ····<ns0:select·idref="service_ypbind_disabled"·selected="true"/> 
266 ····<ns0:select·idref="service_zebra_disabled"·selected="true"/> 
267 ····<ns0:select·idref="use_kerberos_security_all_exports"·selected="true"/> 
268 ····<ns0:select·idref="disable_host_auth"·selected="true"/> 
269 ····<ns0:select·idref="sshd_allow_only_protocol2"·selected="true"/> 
270 ····<ns0:select·idref="sshd_disable_compression"·selected="true"/> 
271 ····<ns0:select·idref="sshd_disable_gssapi_auth"·selected="true"/> 
272 ····<ns0:select·idref="sshd_disable_kerb_auth"·selected="true"/> 
273 ····<ns0:select·idref="sshd_disable_rhosts_rsa"·selected="true"/> 
274 ····<ns0:select·idref="sshd_disable_rhosts"·selected="true"/> 
275 ····<ns0:select·idref="sshd_disable_user_known_hosts"·selected="true"/> 
276 ····<ns0:select·idref="sshd_do_not_permit_user_env"·selected="true"/> 
277 ····<ns0:select·idref="sshd_enable_strictmodes"·selected="true"/> 
278 ····<ns0:select·idref="sshd_enable_warning_banner"·selected="true"/> 
279 ····<ns0:select·idref="sshd_set_keepalive"·selected="true"/> 
280 ····<ns0:select·idref="sshd_use_priv_separation"·selected="true"/> 
281 ····<ns0:select·idref="encrypt_partitions"·selected="true"/> 
282 ····<ns0:select·idref="sshd_use_approved_ciphers"·selected="true"/> 
283 ····<ns0:select·idref="sshd_use_approved_macs"·selected="true"/> 
284 ····<ns0:select·idref="enable_selinux_bootloader"·selected="true"/> 
285 ····<ns0:select·idref="sebool_selinuxuser_execheap"·selected="true"/> 
286 ····<ns0:select·idref="sebool_selinuxuser_execmod"·selected="true"/> 
287 ····<ns0:select·idref="sebool_selinuxuser_execstack"·selected="true"/> 
288 ····<ns0:select·idref="selinux_confinement_of_daemons"·selected="true"/> 
289 ····<ns0:select·idref="selinux_policytype"·selected="true"/> 
290 ····<ns0:select·idref="selinux_state"·selected="true"/> 
291 ····<ns0:select·idref="service_kdump_disabled"·selected="true"/> 
292 ····<ns0:select·idref="sysctl_fs_suid_dumpable"·selected="true"/> 
293 ····<ns0:select·idref="sysctl_kernel_dmesg_restrict"·selected="true"/> 
294 ····<ns0:select·idref="sysctl_kernel_exec_shield"·selected="true"/> 
295 ····<ns0:select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> 
296 ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> 
297 ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> 
298 ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> 
299 ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> 
300 ····<ns0:select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> 
301 ····<ns0:select·idref="ensure_gpgcheck_repo_metadata"·selected="true"/> 
302 ····<ns0:select·idref="ensure_gpgcheck_local_packages"·selected="true"/> 
303 ····<ns0:select·idref="bootloader_audit_argument"·selected="true"/> 
304 ····<ns0:select·idref="service_auditd_enabled"·selected="true"/> 
305 ····<ns0:select·idref="audit_rules_privileged_commands_sudo"·selected="true"/> 
306 ····<ns0:select·idref="audit_rules_privileged_commands_su"·selected="true"/> 
307 ····<ns0:select·idref="audit_rules_immutable"·selected="true"/> 
308 ····<ns0:select·idref="kernel_module_usb-storage_disabled"·selected="true"/> 
309 ····<ns0:select·idref="service_autofs_disabled"·selected="true"/> 
310 ····<ns0:select·idref="auditd_audispd_syslog_plugin_activated"·selected="true"/> 
311 ····<ns0:select·idref="rsyslog_remote_loghost"·selected="true"/> 
312 ····<ns0:select·idref="auditd_data_retention_flush"·selected="true"/> 
313 ····<ns0:select·idref="audit_rules_dac_modification_chmod"·selected="true"/> 
314 ····<ns0:select·idref="audit_rules_dac_modification_chown"·selected="true"/> 
315 ····<ns0:select·idref="audit_rules_dac_modification_fchmodat"·selected="true"/> 
316 ····<ns0:select·idref="audit_rules_dac_modification_fchmod"·selected="true"/> 
317 ····<ns0:select·idref="audit_rules_dac_modification_fchownat"·selected="true"/> 
318 ····<ns0:select·idref="audit_rules_dac_modification_fchown"·selected="true"/> 
319 ····<ns0:select·idref="audit_rules_dac_modification_fremovexattr"·selected="true"/> 
320 ····<ns0:select·idref="audit_rules_dac_modification_fsetxattr"·selected="true"/> 
321 ····<ns0:select·idref="audit_rules_dac_modification_lchown"·selected="true"/> 
322 ····<ns0:select·idref="audit_rules_dac_modification_lremovexattr"·selected="true"/> 
323 ····<ns0:select·idref="audit_rules_dac_modification_lsetxattr"·selected="true"/> 
324 ····<ns0:select·idref="audit_rules_dac_modification_removexattr"·selected="true"/> 
325 ····<ns0:select·idref="audit_rules_dac_modification_setxattr"·selected="true"/> 
326 ····<ns0:select·idref="audit_rules_execution_chcon"·selected="true"/> 
327 ····<ns0:select·idref="audit_rules_execution_restorecon"·selected="true"/> 
328 ····<ns0:select·idref="audit_rules_execution_semanage"·selected="true"/> 
329 ····<ns0:select·idref="audit_rules_execution_setsebool"·selected="true"/> 
330 ····<ns0:select·idref="audit_rules_file_deletion_events_renameat"·selected="true"/> 
331 ····<ns0:select·idref="audit_rules_file_deletion_events_rename"·selected="true"/> 
332 ····<ns0:select·idref="audit_rules_file_deletion_events_rmdir"·selected="true"/> 
333 ····<ns0:select·idref="audit_rules_file_deletion_events_unlinkat"·selected="true"/> 
334 ····<ns0:select·idref="audit_rules_file_deletion_events_unlink"·selected="true"/> 
335 ····<ns0:select·idref="audit_rules_kernel_module_loading_delete"·selected="true"/> 
336 ····<ns0:select·idref="audit_rules_kernel_module_loading_init"·selected="true"/> 
337 ····<ns0:select·idref="audit_rules_kernel_module_loading_insmod"·selected="true"/> 
338 ····<ns0:select·idref="audit_rules_kernel_module_loading_modprobe"·selected="true"/> 
Max diff block lines reached; 1966174/1989941 bytes (98.81%) of diff not shown.
1.74 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-cpe-oval.xml
1.63 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-cpe-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:32:15</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:27:33</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_rhel7:def:1"·version="1">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_rhel7:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Red·Hat·Enterprise·Linux·7</ns0:title>12 ········<ns0:title>Red·Hat·Enterprise·Linux·7</ns0:title>
13 ········<ns0:affected·family="unix"/>13 ········<ns0:affected·family="unix"/>
14 ········<ns0:reference·ref_id="cpe:/o:redhat:enterprise_linux:7"·source="CPE"/>14 ········<ns0:reference·ref_id="cpe:/o:redhat:enterprise_linux:7"·source="CPE"/>
397 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-ds.xml
397 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-ds.xml
    
Offset 18, 21 lines modifiedOffset 18, 21 lines modified
18 ····</ds:checklists>18 ····</ds:checklists>
19 ····<ds:checks>19 ····<ds:checks>
20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"/>20 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"/>
21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"/>21 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"/>
22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-cpe-oval.xml"/>22 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel-osp7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel-osp7-cpe-oval.xml"/>
23 ····</ds:checks>23 ····</ds:checks>
24 ··</ds:data-stream>24 ··</ds:data-stream>
25 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"·timestamp="2020-07-11T15:38:59">25 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-oval.xml"·timestamp="2020-07-12T18:45:51">
26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">26 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
27 ······<ns0:generator>27 ······<ns0:generator>
28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>28 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>29 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
30 ········<ns2:schema_version>5.11</ns2:schema_version>30 ········<ns2:schema_version>5.11</ns2:schema_version>
31 ········<ns2:timestamp>2020-07-12T03:32:15</ns2:timestamp>31 ········<ns2:timestamp>2020-07-12T04:27:33</ns2:timestamp>
32 ······</ns0:generator>32 ······</ns0:generator>
33 ······<ns0:definitions>33 ······<ns0:definitions>
34 ········<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1">34 ········<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1">
35 ··········<ns0:metadata>35 ··········<ns0:metadata>
36 ············<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title>36 ············<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title>
37 ············<ns0:affected·family="unix"/>37 ············<ns0:affected·family="unix"/>
38 ············<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description>38 ············<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description>
Offset 4847, 27 lines modifiedOffset 4847, 27 lines modified
4847 ········</ns3:textfilecontent54_state>4847 ········</ns3:textfilecontent54_state>
4848 ········<ns3:textfilecontent54_state·id="oval:ssg-state_remote_filesystem_nosuid:ste:1"·version="1">4848 ········<ns3:textfilecontent54_state·id="oval:ssg-state_remote_filesystem_nosuid:ste:1"·version="1">
4849 ··········<ns3:subexpression·operation="pattern·match">^.*nosuid.*$</ns3:subexpression>4849 ··········<ns3:subexpression·operation="pattern·match">^.*nosuid.*$</ns3:subexpression>
4850 ········</ns3:textfilecontent54_state>4850 ········</ns3:textfilecontent54_state>
4851 ······</ns0:states>4851 ······</ns0:states>
4852 ····</ns0:oval_definitions>4852 ····</ns0:oval_definitions>
4853 ··</ds:component>4853 ··</ds:component>
4854 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"·timestamp="2020-07-11T15:39:00">4854 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel-osp7-ocil.xml"·timestamp="2020-07-12T18:45:55">
4855 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">4855 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">
4856 ······<ns0:generator>4856 ······<ns0:generator>
4857 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>4857 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
4858 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>4858 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>
4859 ········<ns0:schema_version>2.0</ns0:schema_version>4859 ········<ns0:schema_version>2.0</ns0:schema_version>
4860 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>4860 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
4861 ······</ns0:generator>4861 ······</ns0:generator>
4862 ······<ns0:questionnaires>4862 ······<ns0:questionnaires>
4863 ········<ns0:questionnaire·id="ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1">4863 ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1">
4864 ··········<ns0:title>Use·Only·Strong·MACs</ns0:title>4864 ··········<ns0:title>Enable·Use·of·Strict·Mode·Checking</ns0:title>
4865 ··········<ns0:actions>4865 ··········<ns0:actions>
4866 ············<ns0:test_action_ref>ocil:ssg-sshd_use_strong_macs_action:testaction:1</ns0:test_action_ref>4866 ············<ns0:test_action_ref>ocil:ssg-sshd_enable_strictmodes_action:testaction:1</ns0:test_action_ref>
4867 ··········</ns0:actions>4867 ··········</ns0:actions>
4868 ········</ns0:questionnaire>4868 ········</ns0:questionnaire>
4869 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1">4869 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1">
4870 ··········<ns0:title>Disable·SSH·Support·for·User·Known·Hosts</ns0:title>4870 ··········<ns0:title>Disable·SSH·Support·for·User·Known·Hosts</ns0:title>
4871 ··········<ns0:actions>4871 ··········<ns0:actions>
4872 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1</ns0:test_action_ref>4872 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1</ns0:test_action_ref>
4873 ··········</ns0:actions>4873 ··········</ns0:actions>
Offset 4880, 36 lines modifiedOffset 4880, 36 lines modified
4880 ········</ns0:questionnaire>4880 ········</ns0:questionnaire>
4881 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">4881 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">
4882 ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>4882 ··········<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>
4883 ··········<ns0:actions>4883 ··········<ns0:actions>
4884 ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>4884 ············<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>
4885 ··········</ns0:actions>4885 ··········</ns0:actions>
4886 ········</ns0:questionnaire>4886 ········</ns0:questionnaire>
4887 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">4887 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
4888 ··········<ns0:title>Disable·SSH·Support·for·Rhosts·RSA·Authentication</ns0:title>4888 ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>
4889 ··········<ns0:actions>4889 ··········<ns0:actions>
4890 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ns0:test_action_ref>4890 ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>
4891 ··········</ns0:actions>4891 ··········</ns0:actions>
4892 ········</ns0:questionnaire>4892 ········</ns0:questionnaire>
4893 ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1">4893 ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1">
4894 ··········<ns0:title>Enable·SSH·Warning·Banner</ns0:title>4894 ··········<ns0:title>Enable·SSH·Warning·Banner</ns0:title>
4895 ··········<ns0:actions>4895 ··········<ns0:actions>
4896 ············<ns0:test_action_ref>ocil:ssg-sshd_enable_warning_banner_action:testaction:1</ns0:test_action_ref>4896 ············<ns0:test_action_ref>ocil:ssg-sshd_enable_warning_banner_action:testaction:1</ns0:test_action_ref>
4897 ··········</ns0:actions>4897 ··········</ns0:actions>
4898 ········</ns0:questionnaire>4898 ········</ns0:questionnaire>
4899 ········<ns0:questionnaire·id="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1">4899 ········<ns0:questionnaire·id="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1">
4900 ··········<ns0:title>Use·Only·FIPS·140-2·Validated·MACs</ns0:title>4900 ··········<ns0:title>Use·Only·FIPS·140-2·Validated·MACs</ns0:title>
4901 ··········<ns0:actions>4901 ··········<ns0:actions>
4902 ············<ns0:test_action_ref>ocil:ssg-sshd_use_approved_macs_action:testaction:1</ns0:test_action_ref>4902 ············<ns0:test_action_ref>ocil:ssg-sshd_use_approved_macs_action:testaction:1</ns0:test_action_ref>
4903 ··········</ns0:actions>4903 ··········</ns0:actions>
4904 ········</ns0:questionnaire>4904 ········</ns0:questionnaire>
4905 ········<ns0:questionnaire·id="ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1">4905 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1">
4906 ··········<ns0:title>Do·Not·Allow·SSH·Environment·Options</ns0:title>4906 ··········<ns0:title>Set·LogLevel·to·INFO</ns0:title>
4907 ··········<ns0:actions>4907 ··········<ns0:actions>
4908 ············<ns0:test_action_ref>ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1</ns0:test_action_ref>4908 ············<ns0:test_action_ref>ocil:ssg-sshd_set_loglevel_info_action:testaction:1</ns0:test_action_ref>
4909 ··········</ns0:actions>4909 ··········</ns0:actions>
4910 ········</ns0:questionnaire>4910 ········</ns0:questionnaire>
4911 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">4911 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">
4912 ··········<ns0:title>Disable·Kerberos·Authentication</ns0:title>4912 ··········<ns0:title>Disable·Kerberos·Authentication</ns0:title>
4913 ··········<ns0:actions>4913 ··········<ns0:actions>
4914 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ns0:test_action_ref>4914 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ns0:test_action_ref>
4915 ··········</ns0:actions>4915 ··········</ns0:actions>
Offset 4922, 24 lines modifiedOffset 4922, 24 lines modified
4922 ········</ns0:questionnaire>4922 ········</ns0:questionnaire>
4923 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">4923 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
4924 ··········<ns0:title>Disable·SSH·Support·for·.rhosts·Files</ns0:title>4924 ··········<ns0:title>Disable·SSH·Support·for·.rhosts·Files</ns0:title>
4925 ··········<ns0:actions>4925 ··········<ns0:actions>
4926 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ns0:test_action_ref>4926 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ns0:test_action_ref>
4927 ··········</ns0:actions>4927 ··········</ns0:actions>
4928 ········</ns0:questionnaire>4928 ········</ns0:questionnaire>
4929 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">4929 ········<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
4930 ··········<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>4930 ··········<ns0:title>Disable·SSH·Support·for·Rhosts·RSA·Authentication</ns0:title>
4931 ··········<ns0:actions>4931 ··········<ns0:actions>
4932 ············<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>4932 ············<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ns0:test_action_ref>
4933 ··········</ns0:actions>4933 ··········</ns0:actions>
4934 ········</ns0:questionnaire>4934 ········</ns0:questionnaire>
4935 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1">4935 ········<ns0:questionnaire·id="ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1">
4936 ··········<ns0:title>Set·LogLevel·to·INFO</ns0:title>4936 ··········<ns0:title>Do·Not·Allow·SSH·Environment·Options</ns0:title>
4937 ··········<ns0:actions>4937 ··········<ns0:actions>
4938 ············<ns0:test_action_ref>ocil:ssg-sshd_set_loglevel_info_action:testaction:1</ns0:test_action_ref>4938 ············<ns0:test_action_ref>ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1</ns0:test_action_ref>
4939 ··········</ns0:actions>4939 ··········</ns0:actions>
4940 ········</ns0:questionnaire>4940 ········</ns0:questionnaire>
4941 ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1">4941 ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1">
4942 ··········<ns0:title>Enable·Encrypted·X11·Forwarding</ns0:title>4942 ··········<ns0:title>Enable·Encrypted·X11·Forwarding</ns0:title>
4943 ··········<ns0:actions>4943 ··········<ns0:actions>
4944 ············<ns0:test_action_ref>ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1</ns0:test_action_ref>4944 ············<ns0:test_action_ref>ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1</ns0:test_action_ref>
4945 ··········</ns0:actions>4945 ··········</ns0:actions>
Offset 4958, 18 lines modifiedOffset 4958, 18 lines modified
4958 ········</ns0:questionnaire>4958 ········</ns0:questionnaire>
4959 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1">4959 ········<ns0:questionnaire·id="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1">
4960 ··········<ns0:title>Set·SSH·authentication·attempt·limit</ns0:title>4960 ··········<ns0:title>Set·SSH·authentication·attempt·limit</ns0:title>
4961 ··········<ns0:actions>4961 ··········<ns0:actions>
4962 ············<ns0:test_action_ref>ocil:ssg-sshd_set_max_auth_tries_action:testaction:1</ns0:test_action_ref>4962 ············<ns0:test_action_ref>ocil:ssg-sshd_set_max_auth_tries_action:testaction:1</ns0:test_action_ref>
4963 ··········</ns0:actions>4963 ··········</ns0:actions>
4964 ········</ns0:questionnaire>4964 ········</ns0:questionnaire>
4965 ········<ns0:questionnaire·id="ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1">4965 ········<ns0:questionnaire·id="ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1">
4966 ··········<ns0:title>Enable·Use·of·Strict·Mode·Checking</ns0:title>4966 ··········<ns0:title>Use·Only·Strong·MACs</ns0:title>
4967 ··········<ns0:actions>4967 ··········<ns0:actions>
4968 ············<ns0:test_action_ref>ocil:ssg-sshd_enable_strictmodes_action:testaction:1</ns0:test_action_ref>4968 ············<ns0:test_action_ref>ocil:ssg-sshd_use_strong_macs_action:testaction:1</ns0:test_action_ref>
4969 ··········</ns0:actions>4969 ··········</ns0:actions>
4970 ········</ns0:questionnaire>4970 ········</ns0:questionnaire>
4971 ········<ns0:questionnaire·id="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1">4971 ········<ns0:questionnaire·id="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1">
4972 ··········<ns0:title>Enable·Use·of·Privilege·Separation</ns0:title>4972 ··········<ns0:title>Enable·Use·of·Privilege·Separation</ns0:title>
Max diff block lines reached; 396242/406190 bytes (97.55%) of diff not shown.
20.8 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-ocil.xml
20.7 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-ocil.xml
    
Offset 3, 18 lines modifiedOffset 3, 18 lines modified
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>
6 ····<ns0:schema_version>2.0</ns0:schema_version>6 ····<ns0:schema_version>2.0</ns0:schema_version>
7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:questionnaires>9 ··<ns0:questionnaires>
10 ····<ns0:questionnaire·id="ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1">10 ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1">
11 ······<ns0:title>Use·Only·Strong·MACs</ns0:title>11 ······<ns0:title>Enable·Use·of·Strict·Mode·Checking</ns0:title>
12 ······<ns0:actions>12 ······<ns0:actions>
13 ········<ns0:test_action_ref>ocil:ssg-sshd_use_strong_macs_action:testaction:1</ns0:test_action_ref>13 ········<ns0:test_action_ref>ocil:ssg-sshd_enable_strictmodes_action:testaction:1</ns0:test_action_ref>
14 ······</ns0:actions>14 ······</ns0:actions>
15 ····</ns0:questionnaire>15 ····</ns0:questionnaire>
16 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1">16 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1">
17 ······<ns0:title>Disable·SSH·Support·for·User·Known·Hosts</ns0:title>17 ······<ns0:title>Disable·SSH·Support·for·User·Known·Hosts</ns0:title>
18 ······<ns0:actions>18 ······<ns0:actions>
19 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1</ns0:test_action_ref>19 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1</ns0:test_action_ref>
20 ······</ns0:actions>20 ······</ns0:actions>
Offset 27, 36 lines modifiedOffset 27, 36 lines modified
27 ····</ns0:questionnaire>27 ····</ns0:questionnaire>
28 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">28 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">
29 ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>29 ······<ns0:title>Set·SSH·Client·Alive·Count</ns0:title>
30 ······<ns0:actions>30 ······<ns0:actions>
31 ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>31 ········<ns0:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ns0:test_action_ref>
32 ······</ns0:actions>32 ······</ns0:actions>
33 ····</ns0:questionnaire>33 ····</ns0:questionnaire>
34 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">34 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
35 ······<ns0:title>Disable·SSH·Support·for·Rhosts·RSA·Authentication</ns0:title>35 ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>
36 ······<ns0:actions>36 ······<ns0:actions>
37 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ns0:test_action_ref>37 ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>
38 ······</ns0:actions>38 ······</ns0:actions>
39 ····</ns0:questionnaire>39 ····</ns0:questionnaire>
40 ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1">40 ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1">
41 ······<ns0:title>Enable·SSH·Warning·Banner</ns0:title>41 ······<ns0:title>Enable·SSH·Warning·Banner</ns0:title>
42 ······<ns0:actions>42 ······<ns0:actions>
43 ········<ns0:test_action_ref>ocil:ssg-sshd_enable_warning_banner_action:testaction:1</ns0:test_action_ref>43 ········<ns0:test_action_ref>ocil:ssg-sshd_enable_warning_banner_action:testaction:1</ns0:test_action_ref>
44 ······</ns0:actions>44 ······</ns0:actions>
45 ····</ns0:questionnaire>45 ····</ns0:questionnaire>
46 ····<ns0:questionnaire·id="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1">46 ····<ns0:questionnaire·id="ocil:ssg-sshd_use_approved_macs_ocil:questionnaire:1">
47 ······<ns0:title>Use·Only·FIPS·140-2·Validated·MACs</ns0:title>47 ······<ns0:title>Use·Only·FIPS·140-2·Validated·MACs</ns0:title>
48 ······<ns0:actions>48 ······<ns0:actions>
49 ········<ns0:test_action_ref>ocil:ssg-sshd_use_approved_macs_action:testaction:1</ns0:test_action_ref>49 ········<ns0:test_action_ref>ocil:ssg-sshd_use_approved_macs_action:testaction:1</ns0:test_action_ref>
50 ······</ns0:actions>50 ······</ns0:actions>
51 ····</ns0:questionnaire>51 ····</ns0:questionnaire>
52 ····<ns0:questionnaire·id="ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1">52 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1">
53 ······<ns0:title>Do·Not·Allow·SSH·Environment·Options</ns0:title>53 ······<ns0:title>Set·LogLevel·to·INFO</ns0:title>
54 ······<ns0:actions>54 ······<ns0:actions>
55 ········<ns0:test_action_ref>ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1</ns0:test_action_ref>55 ········<ns0:test_action_ref>ocil:ssg-sshd_set_loglevel_info_action:testaction:1</ns0:test_action_ref>
56 ······</ns0:actions>56 ······</ns0:actions>
57 ····</ns0:questionnaire>57 ····</ns0:questionnaire>
58 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">58 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">
59 ······<ns0:title>Disable·Kerberos·Authentication</ns0:title>59 ······<ns0:title>Disable·Kerberos·Authentication</ns0:title>
60 ······<ns0:actions>60 ······<ns0:actions>
61 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ns0:test_action_ref>61 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ns0:test_action_ref>
62 ······</ns0:actions>62 ······</ns0:actions>
Offset 69, 24 lines modifiedOffset 69, 24 lines modified
69 ····</ns0:questionnaire>69 ····</ns0:questionnaire>
70 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">70 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
71 ······<ns0:title>Disable·SSH·Support·for·.rhosts·Files</ns0:title>71 ······<ns0:title>Disable·SSH·Support·for·.rhosts·Files</ns0:title>
72 ······<ns0:actions>72 ······<ns0:actions>
73 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ns0:test_action_ref>73 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ns0:test_action_ref>
74 ······</ns0:actions>74 ······</ns0:actions>
75 ····</ns0:questionnaire>75 ····</ns0:questionnaire>
76 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">76 ····<ns0:questionnaire·id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
77 ······<ns0:title>Set·SSH·Idle·Timeout·Interval</ns0:title>77 ······<ns0:title>Disable·SSH·Support·for·Rhosts·RSA·Authentication</ns0:title>
78 ······<ns0:actions>78 ······<ns0:actions>
79 ········<ns0:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ns0:test_action_ref>79 ········<ns0:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ns0:test_action_ref>
80 ······</ns0:actions>80 ······</ns0:actions>
81 ····</ns0:questionnaire>81 ····</ns0:questionnaire>
82 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1">82 ····<ns0:questionnaire·id="ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1">
83 ······<ns0:title>Set·LogLevel·to·INFO</ns0:title>83 ······<ns0:title>Do·Not·Allow·SSH·Environment·Options</ns0:title>
84 ······<ns0:actions>84 ······<ns0:actions>
85 ········<ns0:test_action_ref>ocil:ssg-sshd_set_loglevel_info_action:testaction:1</ns0:test_action_ref>85 ········<ns0:test_action_ref>ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1</ns0:test_action_ref>
86 ······</ns0:actions>86 ······</ns0:actions>
87 ····</ns0:questionnaire>87 ····</ns0:questionnaire>
88 ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1">88 ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1">
89 ······<ns0:title>Enable·Encrypted·X11·Forwarding</ns0:title>89 ······<ns0:title>Enable·Encrypted·X11·Forwarding</ns0:title>
90 ······<ns0:actions>90 ······<ns0:actions>
91 ········<ns0:test_action_ref>ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1</ns0:test_action_ref>91 ········<ns0:test_action_ref>ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1</ns0:test_action_ref>
92 ······</ns0:actions>92 ······</ns0:actions>
Offset 105, 18 lines modifiedOffset 105, 18 lines modified
105 ····</ns0:questionnaire>105 ····</ns0:questionnaire>
106 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1">106 ····<ns0:questionnaire·id="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1">
107 ······<ns0:title>Set·SSH·authentication·attempt·limit</ns0:title>107 ······<ns0:title>Set·SSH·authentication·attempt·limit</ns0:title>
108 ······<ns0:actions>108 ······<ns0:actions>
109 ········<ns0:test_action_ref>ocil:ssg-sshd_set_max_auth_tries_action:testaction:1</ns0:test_action_ref>109 ········<ns0:test_action_ref>ocil:ssg-sshd_set_max_auth_tries_action:testaction:1</ns0:test_action_ref>
110 ······</ns0:actions>110 ······</ns0:actions>
111 ····</ns0:questionnaire>111 ····</ns0:questionnaire>
112 ····<ns0:questionnaire·id="ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1">112 ····<ns0:questionnaire·id="ocil:ssg-sshd_use_strong_macs_ocil:questionnaire:1">
113 ······<ns0:title>Enable·Use·of·Strict·Mode·Checking</ns0:title>113 ······<ns0:title>Use·Only·Strong·MACs</ns0:title>
114 ······<ns0:actions>114 ······<ns0:actions>
115 ········<ns0:test_action_ref>ocil:ssg-sshd_enable_strictmodes_action:testaction:1</ns0:test_action_ref>115 ········<ns0:test_action_ref>ocil:ssg-sshd_use_strong_macs_action:testaction:1</ns0:test_action_ref>
116 ······</ns0:actions>116 ······</ns0:actions>
117 ····</ns0:questionnaire>117 ····</ns0:questionnaire>
118 ····<ns0:questionnaire·id="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1">118 ····<ns0:questionnaire·id="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1">
119 ······<ns0:title>Enable·Use·of·Privilege·Separation</ns0:title>119 ······<ns0:title>Enable·Use·of·Privilege·Separation</ns0:title>
120 ······<ns0:actions>120 ······<ns0:actions>
121 ········<ns0:test_action_ref>ocil:ssg-sshd_use_priv_separation_action:testaction:1</ns0:test_action_ref>121 ········<ns0:test_action_ref>ocil:ssg-sshd_use_priv_separation_action:testaction:1</ns0:test_action_ref>
122 ······</ns0:actions>122 ······</ns0:actions>
Offset 179, 15 lines modifiedOffset 179, 15 lines modified
179 ······<ns0:title>Record·Events·that·Modify·User/Group·Information</ns0:title>179 ······<ns0:title>Record·Events·that·Modify·User/Group·Information</ns0:title>
180 ······<ns0:actions>180 ······<ns0:actions>
181 ········<ns0:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_action:testaction:1</ns0:test_action_ref>181 ········<ns0:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_action:testaction:1</ns0:test_action_ref>
182 ······</ns0:actions>182 ······</ns0:actions>
183 ····</ns0:questionnaire>183 ····</ns0:questionnaire>
184 ··</ns0:questionnaires>184 ··</ns0:questionnaires>
185 ··<ns0:test_actions>185 ··<ns0:test_actions>
186 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_use_strong_macs_action:testaction:1"·question_ref="ocil:ssg-sshd_use_strong_macs_question:question:1">186 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_enable_strictmodes_action:testaction:1"·question_ref="ocil:ssg-sshd_enable_strictmodes_question:question:1">
187 ······<ns0:when_true>187 ······<ns0:when_true>
188 ········<ns0:result>PASS</ns0:result>188 ········<ns0:result>PASS</ns0:result>
189 ······</ns0:when_true>189 ······</ns0:when_true>
190 ······<ns0:when_false>190 ······<ns0:when_false>
191 ········<ns0:result>FAIL</ns0:result>191 ········<ns0:result>FAIL</ns0:result>
192 ······</ns0:when_false>192 ······</ns0:when_false>
193 ····</ns0:boolean_question_test_action>193 ····</ns0:boolean_question_test_action>
Offset 211, 15 lines modifiedOffset 211, 15 lines modified
211 ······<ns0:when_true>211 ······<ns0:when_true>
212 ········<ns0:result>PASS</ns0:result>212 ········<ns0:result>PASS</ns0:result>
213 ······</ns0:when_true>213 ······</ns0:when_true>
214 ······<ns0:when_false>214 ······<ns0:when_false>
215 ········<ns0:result>FAIL</ns0:result>215 ········<ns0:result>FAIL</ns0:result>
216 ······</ns0:when_false>216 ······</ns0:when_false>
217 ····</ns0:boolean_question_test_action>217 ····</ns0:boolean_question_test_action>
218 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1"·question_ref="ocil:ssg-sshd_disable_rhosts_rsa_question:question:1">218 ····<ns0:boolean_question_test_action·id="ocil:ssg-sshd_set_idle_timeout_action:testaction:1"·question_ref="ocil:ssg-sshd_set_idle_timeout_question:question:1">
219 ······<ns0:when_true>219 ······<ns0:when_true>
220 ········<ns0:result>PASS</ns0:result>220 ········<ns0:result>PASS</ns0:result>
221 ······</ns0:when_true>221 ······</ns0:when_true>
Max diff block lines reached; 12847/21091 bytes (60.91%) of diff not shown.
1.76 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-oval.xml
1.65 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:32:15</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:27:33</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1">10 ····<ns0:definition·class="compliance"·id="oval:ssg-horizon_csrf_cookie_secure:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title>12 ········<ns0:title>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:title>
13 ········<ns0:affected·family="unix"/>13 ········<ns0:affected·family="unix"/>
14 ········<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description>14 ········<ns0:description>Is·CSRF_COOKIE_SECURE·parameter·set·to·True?</ns0:description>
366 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-xccdf.xml
365 KB
./usr/share/xml/scap/ssg/content/ssg-rhel-osp7-xccdf.xml
    
Offset 198, 22 lines modifiedOffset 198, 27 lines modified
198 ····<select·idref="neutron_api_use_ssl"·selected="true"/>198 ····<select·idref="neutron_api_use_ssl"·selected="true"/>
199 ····<select·idref="nova_file_ownership"·selected="true"/>199 ····<select·idref="nova_file_ownership"·selected="true"/>
200 ····<select·idref="nova_file_perms"·selected="true"/>200 ····<select·idref="nova_file_perms"·selected="true"/>
201 ····<select·idref="nova_use_keystone"·selected="true"/>201 ····<select·idref="nova_use_keystone"·selected="true"/>
202 ····<select·idref="nova_secure_authentication"·selected="true"/>202 ····<select·idref="nova_secure_authentication"·selected="true"/>
203 ····<select·idref="nova_secure_glance"·selected="true"/>203 ····<select·idref="nova_secure_glance"·selected="true"/>
204 ····<select·idref="remediation_functions"·selected="false"/>204 ····<select·idref="remediation_functions"·selected="false"/>
205 ····<select·idref="docker"·selected="false"/> 
206 ····<select·idref="obsolete"·selected="false"/>205 ····<select·idref="obsolete"·selected="false"/>
207 ····<select·idref="r_services"·selected="false"/>206 ····<select·idref="r_services"·selected="false"/>
208 ····<select·idref="telnet"·selected="false"/>207 ····<select·idref="telnet"·selected="false"/>
209 ····<select·idref="nis"·selected="false"/>208 ····<select·idref="nis"·selected="false"/>
210 ····<select·idref="tftp"·selected="false"/>209 ····<select·idref="tftp"·selected="false"/>
211 ····<select·idref="inetd_and_xinetd"·selected="false"/>210 ····<select·idref="inetd_and_xinetd"·selected="false"/>
212 ····<select·idref="talk"·selected="false"/>211 ····<select·idref="talk"·selected="false"/>
 212 ····<select·idref="imap"·selected="false"/>
 213 ····<select·idref="configure_dovecot"·selected="false"/>
 214 ····<select·idref="dovecot_enabling_ssl"·selected="false"/>
 215 ····<select·idref="dovecot_allow_imap_access"·selected="false"/>
 216 ····<select·idref="dovecot_support_necessary_protocols"·selected="false"/>
 217 ····<select·idref="disabling_dovecot"·selected="false"/>
213 ····<select·idref="ftp"·selected="false"/>218 ····<select·idref="ftp"·selected="false"/>
214 ····<select·idref="ftp_configure_vsftpd"·selected="false"/>219 ····<select·idref="ftp_configure_vsftpd"·selected="false"/>
215 ····<select·idref="ftp_configure_firewall"·selected="false"/>220 ····<select·idref="ftp_configure_firewall"·selected="false"/>
216 ····<select·idref="ftp_restrict_users"·selected="false"/>221 ····<select·idref="ftp_restrict_users"·selected="false"/>
217 ····<select·idref="ftp_limit_users"·selected="false"/>222 ····<select·idref="ftp_limit_users"·selected="false"/>
218 ····<select·idref="ftp_use_vsftpd"·selected="false"/>223 ····<select·idref="ftp_use_vsftpd"·selected="false"/>
219 ····<select·idref="disabling_vsftpd"·selected="false"/>224 ····<select·idref="disabling_vsftpd"·selected="false"/>
Offset 285, 20 lines modifiedOffset 290, 15 lines modified
285 ····<select·idref="dhcp"·selected="false"/>290 ····<select·idref="dhcp"·selected="false"/>
286 ····<select·idref="disabling_dhcp_client"·selected="false"/>291 ····<select·idref="disabling_dhcp_client"·selected="false"/>
287 ····<select·idref="dhcp_server_configuration"·selected="false"/>292 ····<select·idref="dhcp_server_configuration"·selected="false"/>
288 ····<select·idref="dhcp_server_minimize_served_info"·selected="false"/>293 ····<select·idref="dhcp_server_minimize_served_info"·selected="false"/>
289 ····<select·idref="disabling_dhcp_server"·selected="false"/>294 ····<select·idref="disabling_dhcp_server"·selected="false"/>
290 ····<select·idref="dhcp_client_configuration"·selected="false"/>295 ····<select·idref="dhcp_client_configuration"·selected="false"/>
291 ····<select·idref="dhcp_client_restrict_options"·selected="false"/>296 ····<select·idref="dhcp_client_restrict_options"·selected="false"/>
292 ····<select·idref="imap"·selected="false"/>297 ····<select·idref="docker"·selected="false"/>
293 ····<select·idref="configure_dovecot"·selected="false"/> 
294 ····<select·idref="dovecot_enabling_ssl"·selected="false"/> 
295 ····<select·idref="dovecot_allow_imap_access"·selected="false"/> 
296 ····<select·idref="dovecot_support_necessary_protocols"·selected="false"/> 
297 ····<select·idref="disabling_dovecot"·selected="false"/> 
298 ····<select·idref="nfs_and_rpc"·selected="false"/>298 ····<select·idref="nfs_and_rpc"·selected="false"/>
299 ····<select·idref="nfs_configuring_servers"·selected="false"/>299 ····<select·idref="nfs_configuring_servers"·selected="false"/>
300 ····<select·idref="export_filesystems_read_only"·selected="false"/>300 ····<select·idref="export_filesystems_read_only"·selected="false"/>
301 ····<select·idref="configure_exports_restrictively"·selected="false"/>301 ····<select·idref="configure_exports_restrictively"·selected="false"/>
302 ····<select·idref="use_acl_enforce_auth_restrictions"·selected="false"/>302 ····<select·idref="use_acl_enforce_auth_restrictions"·selected="false"/>
303 ····<select·idref="disabling_nfs"·selected="false"/>303 ····<select·idref="disabling_nfs"·selected="false"/>
304 ····<select·idref="disabling_nfs_services"·selected="false"/>304 ····<select·idref="disabling_nfs_services"·selected="false"/>
Offset 313, 26 lines modifiedOffset 313, 26 lines modified
313 ····<select·idref="avahi"·selected="false"/>313 ····<select·idref="avahi"·selected="false"/>
314 ····<select·idref="disable_avahi_group"·selected="false"/>314 ····<select·idref="disable_avahi_group"·selected="false"/>
315 ····<select·idref="avahi_configuration"·selected="false"/>315 ····<select·idref="avahi_configuration"·selected="false"/>
316 ····<select·idref="ssh"·selected="false"/>316 ····<select·idref="ssh"·selected="false"/>
317 ····<select·idref="ssh_server"·selected="false"/>317 ····<select·idref="ssh_server"·selected="false"/>
318 ····<select·idref="sshd_strengthen_firewall"·selected="false"/>318 ····<select·idref="sshd_strengthen_firewall"·selected="false"/>
319 ····<select·idref="intro"·selected="false"/>319 ····<select·idref="intro"·selected="false"/>
320 ····<select·idref="how-to-use"·selected="false"/> 
321 ····<select·idref="intro-formatting-conventions"·selected="false"/> 
322 ····<select·idref="intro-test-non-production"·selected="false"/> 
323 ····<select·idref="intro-root-shell-assumed"·selected="false"/> 
324 ····<select·idref="intro-read-sections-completely"·selected="false"/> 
325 ····<select·idref="intro-reboot-required"·selected="false"/> 
326 ····<select·idref="general-principles"·selected="false"/>320 ····<select·idref="general-principles"·selected="false"/>
327 ····<select·idref="principle-encrypt-transmitted-data"·selected="false"/> 
328 ····<select·idref="principle-minimize-software"·selected="false"/>321 ····<select·idref="principle-minimize-software"·selected="false"/>
329 ····<select·idref="principle-use-security-tools"·selected="false"/> 
330 ····<select·idref="principle-separate-servers"·selected="false"/>322 ····<select·idref="principle-separate-servers"·selected="false"/>
 323 ····<select·idref="principle-use-security-tools"·selected="false"/>
 324 ····<select·idref="principle-encrypt-transmitted-data"·selected="false"/>
331 ····<select·idref="principle-least-privilege"·selected="false"/>325 ····<select·idref="principle-least-privilege"·selected="false"/>
 326 ····<select·idref="how-to-use"·selected="false"/>
 327 ····<select·idref="intro-read-sections-completely"·selected="false"/>
 328 ····<select·idref="intro-test-non-production"·selected="false"/>
 329 ····<select·idref="intro-reboot-required"·selected="false"/>
 330 ····<select·idref="intro-root-shell-assumed"·selected="false"/>
 331 ····<select·idref="intro-formatting-conventions"·selected="false"/>
332 ····<select·idref="system"·selected="false"/>332 ····<select·idref="system"·selected="false"/>
333 ····<select·idref="software"·selected="false"/>333 ····<select·idref="software"·selected="false"/>
334 ····<select·idref="disk_partitioning"·selected="false"/>334 ····<select·idref="disk_partitioning"·selected="false"/>
335 ····<select·idref="sudo"·selected="false"/>335 ····<select·idref="sudo"·selected="false"/>
336 ····<select·idref="sap"·selected="false"/>336 ····<select·idref="sap"·selected="false"/>
337 ····<select·idref="integrity"·selected="false"/>337 ····<select·idref="integrity"·selected="false"/>
338 ····<select·idref="certified-vendor"·selected="false"/>338 ····<select·idref="certified-vendor"·selected="false"/>
Offset 350, 27 lines modifiedOffset 350, 27 lines modified
350 ····<select·idref="gnome_system_settings"·selected="false"/>350 ····<select·idref="gnome_system_settings"·selected="false"/>
351 ····<select·idref="gnome_login_screen"·selected="false"/>351 ····<select·idref="gnome_login_screen"·selected="false"/>
352 ····<select·idref="gnome_network_settings"·selected="false"/>352 ····<select·idref="gnome_network_settings"·selected="false"/>
353 ····<select·idref="gnome_remote_access_settings"·selected="false"/>353 ····<select·idref="gnome_remote_access_settings"·selected="false"/>
354 ····<select·idref="logging"·selected="false"/>354 ····<select·idref="logging"·selected="false"/>
355 ····<select·idref="rsyslog_sending_messages"·selected="false"/>355 ····<select·idref="rsyslog_sending_messages"·selected="false"/>
356 ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/>356 ····<select·idref="ensure_rsyslog_log_file_configuration"·selected="false"/>
357 ····<select·idref="configure_logwatch_on_logserver"·selected="false"/> 
358 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>357 ····<select·idref="rsyslog_accepting_remote_messages"·selected="false"/>
 358 ····<select·idref="configure_logwatch_on_logserver"·selected="false"/>
359 ····<select·idref="log_rotation"·selected="false"/>359 ····<select·idref="log_rotation"·selected="false"/>
360 ····<select·idref="network"·selected="false"/>360 ····<select·idref="network"·selected="false"/>
361 ····<select·idref="network-firewalld"·selected="false"/> 
362 ····<select·idref="ruleset_modifications"·selected="false"/> 
363 ····<select·idref="firewalld_activation"·selected="false"/> 
364 ····<select·idref="network-ipsec"·selected="false"/> 
365 ····<select·idref="network-ipv6"·selected="false"/>361 ····<select·idref="network-ipv6"·selected="false"/>
366 ····<select·idref="configuring_ipv6"·selected="false"/>362 ····<select·idref="configuring_ipv6"·selected="false"/>
367 ····<select·idref="disabling_ipv6_autoconfig"·selected="false"/>363 ····<select·idref="disabling_ipv6_autoconfig"·selected="false"/>
368 ····<select·idref="network_ipv6_limit_requests"·selected="false"/>364 ····<select·idref="network_ipv6_limit_requests"·selected="false"/>
369 ····<select·idref="disabling_ipv6"·selected="false"/>365 ····<select·idref="disabling_ipv6"·selected="false"/>
 366 ····<select·idref="network-ipsec"·selected="false"/>
 367 ····<select·idref="network-firewalld"·selected="false"/>
 368 ····<select·idref="ruleset_modifications"·selected="false"/>
 369 ····<select·idref="firewalld_activation"·selected="false"/>
370 ····<select·idref="network-kernel"·selected="false"/>370 ····<select·idref="network-kernel"·selected="false"/>
371 ····<select·idref="network_host_and_router_parameters"·selected="false"/>371 ····<select·idref="network_host_and_router_parameters"·selected="false"/>
372 ····<select·idref="network_host_parameters"·selected="false"/>372 ····<select·idref="network_host_parameters"·selected="false"/>
373 ····<select·idref="network_ssl"·selected="false"/>373 ····<select·idref="network_ssl"·selected="false"/>
374 ····<select·idref="network_disable_unused_interfaces"·selected="false"/>374 ····<select·idref="network_disable_unused_interfaces"·selected="false"/>
375 ····<select·idref="network-uncommon"·selected="false"/>375 ····<select·idref="network-uncommon"·selected="false"/>
376 ····<select·idref="network-wireless"·selected="false"/>376 ····<select·idref="network-wireless"·selected="false"/>
Offset 392, 16 lines modifiedOffset 392, 16 lines modified
392 ····<select·idref="set_password_hashing_algorithm"·selected="false"/>392 ····<select·idref="set_password_hashing_algorithm"·selected="false"/>
393 ····<select·idref="locking_out_password_attempts"·selected="false"/>393 ····<select·idref="locking_out_password_attempts"·selected="false"/>
394 ····<select·idref="password_quality"·selected="false"/>394 ····<select·idref="password_quality"·selected="false"/>
395 ····<select·idref="password_quality_pwquality"·selected="false"/>395 ····<select·idref="password_quality_pwquality"·selected="false"/>
396 ····<select·idref="accounts-banners"·selected="false"/>396 ····<select·idref="accounts-banners"·selected="false"/>
397 ····<select·idref="gui_login_banner"·selected="false"/>397 ····<select·idref="gui_login_banner"·selected="false"/>
398 ····<select·idref="accounts-session"·selected="false"/>398 ····<select·idref="accounts-session"·selected="false"/>
399 ····<select·idref="user_umask"·selected="false"/> 
400 ····<select·idref="root_paths"·selected="false"/>399 ····<select·idref="root_paths"·selected="false"/>
Max diff block lines reached; 366483/374097 bytes (97.96%) of diff not shown.
1.77 KB
./usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml
1.66 KB
./usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:32:20</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:27:48</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>CentOS·6</ns0:title>12 ········<ns0:title>CentOS·6</ns0:title>
13 ········<ns0:affected·family="unix"/>13 ········<ns0:affected·family="unix"/>
14 ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/>14 ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/>
4.02 MB
./usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
4.02 MB
./usr/share/xml/scap/ssg/content/ssg-rhel6-ds.xml
    
Offset 26, 21 lines modifiedOffset 26, 21 lines modified
26 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/>26 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/>
27 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/>27 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/>
28 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/>28 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/>
29 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/>29 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/>
30 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/>30 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/>
31 ····</ds:checks>31 ····</ds:checks>
32 ··</ds:data-stream>32 ··</ds:data-stream>
33 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-11T15:39:01">33 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-12T18:46:00">
34 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">34 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
35 ······<ns0:generator>35 ······<ns0:generator>
36 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>36 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
37 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>37 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
38 ········<ns2:schema_version>5.11</ns2:schema_version>38 ········<ns2:schema_version>5.11</ns2:schema_version>
39 ········<ns2:timestamp>2020-07-12T03:32:20</ns2:timestamp>39 ········<ns2:timestamp>2020-07-12T04:27:48</ns2:timestamp>
40 ······</ns0:generator>40 ······</ns0:generator>
41 ······<ns0:definitions>41 ······<ns0:definitions>
42 ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1">42 ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1">
43 ··········<ns0:metadata>43 ··········<ns0:metadata>
44 ············<ns0:title>Set·Password·dcredit·Requirements</ns0:title>44 ············<ns0:title>Set·Password·dcredit·Requirements</ns0:title>
45 ············<ns0:affected·family="unix">45 ············<ns0:affected·family="unix">
46 ··············<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform>46 ··············<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform>
Offset 27893, 87 lines modifiedOffset 27893, 99 lines modified
27893 ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>27893 ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>
27894 ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>27894 ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>
27895 ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>27895 ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>
27896 ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>27896 ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>
27897 ······</ns0:variables>27897 ······</ns0:variables>
27898 ····</ns0:oval_definitions>27898 ····</ns0:oval_definitions>
27899 ··</ds:component>27899 ··</ds:component>
27900 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-11T15:39:01">27900 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-12T18:46:00">
27901 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">27901 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">
27902 ······<ns0:generator>27902 ······<ns0:generator>
27903 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>27903 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
27904 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>27904 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>
27905 ········<ns0:schema_version>2.0</ns0:schema_version>27905 ········<ns0:schema_version>2.0</ns0:schema_version>
27906 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>27906 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
27907 ······</ns0:generator>27907 ······</ns0:generator>
27908 ······<ns0:questionnaires>27908 ······<ns0:questionnaires>
27909 ········<ns0:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">27909 ········<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1">
27910 ··········<ns0:title>Disable·Samba</ns0:title>27910 ··········<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title>
27911 ··········<ns0:actions> 
27912 ············<ns0:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns0:test_action_ref> 
27913 ··········</ns0:actions> 
27914 ········</ns0:questionnaire> 
27915 ········<ns0:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> 
27916 ··········<ns0:title>Uninstall·samba·Package</ns0:title> 
27917 ··········<ns0:actions>27911 ··········<ns0:actions>
27918 ············<ns0:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns0:test_action_ref>27912 ············<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref>
27919 ··········</ns0:actions>27913 ··········</ns0:actions>
27920 ········</ns0:questionnaire>27914 ········</ns0:questionnaire>
27921 ········<ns0:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">27915 ········<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1">
27922 ··········<ns0:title>Install·the·Samba·Common·Package</ns0:title>27916 ··········<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title>
27923 ··········<ns0:actions>27917 ··········<ns0:actions>
27924 ············<ns0:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns0:test_action_ref>27918 ············<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref>
27925 ··········</ns0:actions>27919 ··········</ns0:actions>
27926 ········</ns0:questionnaire>27920 ········</ns0:questionnaire>
27927 ········<ns0:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1">27921 ········<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1">
27928 ··········<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns0:title>27922 ··········<ns0:title>Disable·vsftpd·Service</ns0:title>
27929 ··········<ns0:actions>27923 ··········<ns0:actions>
27930 ············<ns0:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns0:test_action_ref>27924 ············<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref>
27931 ··········</ns0:actions>27925 ··········</ns0:actions>
27932 ········</ns0:questionnaire>27926 ········</ns0:questionnaire>
27933 ········<ns0:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1">27927 ········<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1">
27934 ··········<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns0:title>27928 ··········<ns0:title>Uninstall·vsftpd·Package</ns0:title>
27935 ··········<ns0:actions>27929 ··········<ns0:actions>
27936 ············<ns0:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns0:test_action_ref>27930 ············<ns0:test_action_ref>ocil:ssg-package_vsftpd_removed_action:testaction:1</ns0:test_action_ref>
27937 ··········</ns0:actions>27931 ··········</ns0:actions>
27938 ········</ns0:questionnaire>27932 ········</ns0:questionnaire>
27939 ········<ns0:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1">27933 ········<ns0:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1">
27940 ··········<ns0:title>Disable·httpd·Service</ns0:title>27934 ··········<ns0:title>Disable·httpd·Service</ns0:title>
27941 ··········<ns0:actions>27935 ··········<ns0:actions>
27942 ············<ns0:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns0:test_action_ref>27936 ············<ns0:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns0:test_action_ref>
27943 ··········</ns0:actions>27937 ··········</ns0:actions>
27944 ········</ns0:questionnaire>27938 ········</ns0:questionnaire>
27945 ········<ns0:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1">27939 ········<ns0:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1">
27946 ··········<ns0:title>Uninstall·httpd·Package</ns0:title>27940 ··········<ns0:title>Uninstall·httpd·Package</ns0:title>
27947 ··········<ns0:actions>27941 ··········<ns0:actions>
27948 ············<ns0:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns0:test_action_ref>27942 ············<ns0:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns0:test_action_ref>
27949 ··········</ns0:actions>27943 ··········</ns0:actions>
27950 ········</ns0:questionnaire>27944 ········</ns0:questionnaire>
27951 ········<ns0:questionnaire·id="ocil:ssg-postfix_client_configure_mail_alias_ocil:questionnaire:1">27945 ········<ns0:questionnaire·id="ocil:ssg-service_named_disabled_ocil:questionnaire:1">
27952 ··········<ns0:title>Configure·System·to·Forward·All·Mail·For·The·Root·Account</ns0:title>27946 ··········<ns0:title>Disable·DNS·Server</ns0:title>
27953 ··········<ns0:actions>27947 ··········<ns0:actions>
27954 ············<ns0:test_action_ref>ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1</ns0:test_action_ref>27948 ············<ns0:test_action_ref>ocil:ssg-service_named_disabled_action:testaction:1</ns0:test_action_ref>
27955 ··········</ns0:actions>27949 ··········</ns0:actions>
27956 ········</ns0:questionnaire>27950 ········</ns0:questionnaire>
27957 ········<ns0:questionnaire·id="ocil:ssg-postfix_network_listening_disabled_ocil:questionnaire:1">27951 ········<ns0:questionnaire·id="ocil:ssg-package_bind_removed_ocil:questionnaire:1">
27958 ··········<ns0:title>Disable·Postfix·Network·Listening</ns0:title>27952 ··········<ns0:title>Uninstall·bind·Package</ns0:title>
27959 ··········<ns0:actions>27953 ··········<ns0:actions>
27960 ············<ns0:test_action_ref>ocil:ssg-postfix_network_listening_disabled_action:testaction:1</ns0:test_action_ref>27954 ············<ns0:test_action_ref>ocil:ssg-package_bind_removed_action:testaction:1</ns0:test_action_ref>
27961 ··········</ns0:actions>27955 ··········</ns0:actions>
27962 ········</ns0:questionnaire>27956 ········</ns0:questionnaire>
27963 ········<ns0:questionnaire·id="ocil:ssg-package_sendmail_removed_ocil:questionnaire:1">27957 ········<ns0:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">
27964 ··········<ns0:title>Uninstall·Sendmail·Package</ns0:title>27958 ··········<ns0:title>Disable·Samba</ns0:title>
27965 ··········<ns0:actions>27959 ··········<ns0:actions>
27966 ············<ns0:test_action_ref>ocil:ssg-package_sendmail_removed_action:testaction:1</ns0:test_action_ref>27960 ············<ns0:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns0:test_action_ref>
27967 ··········</ns0:actions>27961 ··········</ns0:actions>
27968 ········</ns0:questionnaire>27962 ········</ns0:questionnaire>
27969 ········<ns0:questionnaire·id="ocil:ssg-service_postfix_enabled_ocil:questionnaire:1">27963 ········<ns0:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1">
27970 ··········<ns0:title>Enable·Postfix·Service</ns0:title>27964 ··········<ns0:title>Uninstall·samba·Package</ns0:title>
27971 ··········<ns0:actions>27965 ··········<ns0:actions>
27972 ············<ns0:test_action_ref>ocil:ssg-service_postfix_enabled_action:testaction:1</ns0:test_action_ref>27966 ············<ns0:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns0:test_action_ref>
 27967 ··········</ns0:actions>
 27968 ········</ns0:questionnaire>
 27969 ········<ns0:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
 27970 ··········<ns0:title>Install·the·Samba·Common·Package</ns0:title>
 27971 ··········<ns0:actions>
 27972 ············<ns0:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns0:test_action_ref>
 27973 ··········</ns0:actions>
 27974 ········</ns0:questionnaire>
 27975 ········<ns0:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1">
 27976 ··········<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns0:title>
 27977 ··········<ns0:actions>
 27978 ············<ns0:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns0:test_action_ref>
 27979 ··········</ns0:actions>
 27980 ········</ns0:questionnaire>
 27981 ········<ns0:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1">
 27982 ··········<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns0:title>
 27983 ··········<ns0:actions>
 27984 ············<ns0:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns0:test_action_ref>
27973 ··········</ns0:actions>27985 ··········</ns0:actions>
27974 ········</ns0:questionnaire>27986 ········</ns0:questionnaire>
27975 ········<ns0:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1">27987 ········<ns0:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1">
27976 ··········<ns0:title>Configure·SSSD's·Memory·Cache·to·Expire</ns0:title>27988 ··········<ns0:title>Configure·SSSD's·Memory·Cache·to·Expire</ns0:title>
27977 ··········<ns0:actions>27989 ··········<ns0:actions>
27978 ············<ns0:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns0:test_action_ref>27990 ············<ns0:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns0:test_action_ref>
27979 ··········</ns0:actions>27991 ··········</ns0:actions>
Max diff block lines reached; 4199928/4211171 bytes (99.73%) of diff not shown.
428 KB
./usr/share/xml/scap/ssg/content/ssg-rhel6-ocil.xml
428 KB
./usr/share/xml/scap/ssg/content/ssg-rhel6-ocil.xml
    
Offset 3, 78 lines modifiedOffset 3, 90 lines modified
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>
6 ····<ns0:schema_version>2.0</ns0:schema_version>6 ····<ns0:schema_version>2.0</ns0:schema_version>
7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:questionnaires>9 ··<ns0:questionnaires>
10 ····<ns0:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">10 ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1">
11 ······<ns0:title>Disable·Samba</ns0:title>11 ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title>
12 ······<ns0:actions> 
13 ········<ns0:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns0:test_action_ref> 
14 ······</ns0:actions> 
15 ····</ns0:questionnaire> 
16 ····<ns0:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> 
17 ······<ns0:title>Uninstall·samba·Package</ns0:title> 
18 ······<ns0:actions>12 ······<ns0:actions>
19 ········<ns0:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns0:test_action_ref>13 ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref>
20 ······</ns0:actions>14 ······</ns0:actions>
21 ····</ns0:questionnaire>15 ····</ns0:questionnaire>
22 ····<ns0:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">16 ····<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1">
23 ······<ns0:title>Install·the·Samba·Common·Package</ns0:title>17 ······<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title>
24 ······<ns0:actions>18 ······<ns0:actions>
25 ········<ns0:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns0:test_action_ref>19 ········<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref>
26 ······</ns0:actions>20 ······</ns0:actions>
27 ····</ns0:questionnaire>21 ····</ns0:questionnaire>
28 ····<ns0:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1">22 ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1">
29 ······<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns0:title>23 ······<ns0:title>Disable·vsftpd·Service</ns0:title>
30 ······<ns0:actions>24 ······<ns0:actions>
31 ········<ns0:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns0:test_action_ref>25 ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref>
32 ······</ns0:actions>26 ······</ns0:actions>
33 ····</ns0:questionnaire>27 ····</ns0:questionnaire>
34 ····<ns0:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1">28 ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1">
35 ······<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns0:title>29 ······<ns0:title>Uninstall·vsftpd·Package</ns0:title>
36 ······<ns0:actions>30 ······<ns0:actions>
37 ········<ns0:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns0:test_action_ref>31 ········<ns0:test_action_ref>ocil:ssg-package_vsftpd_removed_action:testaction:1</ns0:test_action_ref>
38 ······</ns0:actions>32 ······</ns0:actions>
39 ····</ns0:questionnaire>33 ····</ns0:questionnaire>
40 ····<ns0:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1">34 ····<ns0:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1">
41 ······<ns0:title>Disable·httpd·Service</ns0:title>35 ······<ns0:title>Disable·httpd·Service</ns0:title>
42 ······<ns0:actions>36 ······<ns0:actions>
43 ········<ns0:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns0:test_action_ref>37 ········<ns0:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns0:test_action_ref>
44 ······</ns0:actions>38 ······</ns0:actions>
45 ····</ns0:questionnaire>39 ····</ns0:questionnaire>
46 ····<ns0:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1">40 ····<ns0:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1">
47 ······<ns0:title>Uninstall·httpd·Package</ns0:title>41 ······<ns0:title>Uninstall·httpd·Package</ns0:title>
48 ······<ns0:actions>42 ······<ns0:actions>
49 ········<ns0:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns0:test_action_ref>43 ········<ns0:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns0:test_action_ref>
50 ······</ns0:actions>44 ······</ns0:actions>
51 ····</ns0:questionnaire>45 ····</ns0:questionnaire>
52 ····<ns0:questionnaire·id="ocil:ssg-postfix_client_configure_mail_alias_ocil:questionnaire:1">46 ····<ns0:questionnaire·id="ocil:ssg-service_named_disabled_ocil:questionnaire:1">
53 ······<ns0:title>Configure·System·to·Forward·All·Mail·For·The·Root·Account</ns0:title>47 ······<ns0:title>Disable·DNS·Server</ns0:title>
54 ······<ns0:actions>48 ······<ns0:actions>
55 ········<ns0:test_action_ref>ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1</ns0:test_action_ref>49 ········<ns0:test_action_ref>ocil:ssg-service_named_disabled_action:testaction:1</ns0:test_action_ref>
56 ······</ns0:actions>50 ······</ns0:actions>
57 ····</ns0:questionnaire>51 ····</ns0:questionnaire>
58 ····<ns0:questionnaire·id="ocil:ssg-postfix_network_listening_disabled_ocil:questionnaire:1">52 ····<ns0:questionnaire·id="ocil:ssg-package_bind_removed_ocil:questionnaire:1">
59 ······<ns0:title>Disable·Postfix·Network·Listening</ns0:title>53 ······<ns0:title>Uninstall·bind·Package</ns0:title>
60 ······<ns0:actions>54 ······<ns0:actions>
61 ········<ns0:test_action_ref>ocil:ssg-postfix_network_listening_disabled_action:testaction:1</ns0:test_action_ref>55 ········<ns0:test_action_ref>ocil:ssg-package_bind_removed_action:testaction:1</ns0:test_action_ref>
62 ······</ns0:actions>56 ······</ns0:actions>
63 ····</ns0:questionnaire>57 ····</ns0:questionnaire>
64 ····<ns0:questionnaire·id="ocil:ssg-package_sendmail_removed_ocil:questionnaire:1">58 ····<ns0:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">
65 ······<ns0:title>Uninstall·Sendmail·Package</ns0:title>59 ······<ns0:title>Disable·Samba</ns0:title>
66 ······<ns0:actions>60 ······<ns0:actions>
67 ········<ns0:test_action_ref>ocil:ssg-package_sendmail_removed_action:testaction:1</ns0:test_action_ref>61 ········<ns0:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns0:test_action_ref>
68 ······</ns0:actions>62 ······</ns0:actions>
69 ····</ns0:questionnaire>63 ····</ns0:questionnaire>
70 ····<ns0:questionnaire·id="ocil:ssg-service_postfix_enabled_ocil:questionnaire:1">64 ····<ns0:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1">
71 ······<ns0:title>Enable·Postfix·Service</ns0:title>65 ······<ns0:title>Uninstall·samba·Package</ns0:title>
72 ······<ns0:actions>66 ······<ns0:actions>
73 ········<ns0:test_action_ref>ocil:ssg-service_postfix_enabled_action:testaction:1</ns0:test_action_ref>67 ········<ns0:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns0:test_action_ref>
 68 ······</ns0:actions>
 69 ····</ns0:questionnaire>
 70 ····<ns0:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
 71 ······<ns0:title>Install·the·Samba·Common·Package</ns0:title>
 72 ······<ns0:actions>
 73 ········<ns0:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns0:test_action_ref>
 74 ······</ns0:actions>
 75 ····</ns0:questionnaire>
 76 ····<ns0:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1">
 77 ······<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns0:title>
 78 ······<ns0:actions>
 79 ········<ns0:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns0:test_action_ref>
 80 ······</ns0:actions>
 81 ····</ns0:questionnaire>
 82 ····<ns0:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1">
 83 ······<ns0:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns0:title>
 84 ······<ns0:actions>
 85 ········<ns0:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns0:test_action_ref>
74 ······</ns0:actions>86 ······</ns0:actions>
75 ····</ns0:questionnaire>87 ····</ns0:questionnaire>
76 ····<ns0:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1">88 ····<ns0:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1">
77 ······<ns0:title>Configure·SSSD's·Memory·Cache·to·Expire</ns0:title>89 ······<ns0:title>Configure·SSSD's·Memory·Cache·to·Expire</ns0:title>
78 ······<ns0:actions>90 ······<ns0:actions>
79 ········<ns0:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns0:test_action_ref>91 ········<ns0:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns0:test_action_ref>
80 ······</ns0:actions>92 ······</ns0:actions>
Offset 99, 48 lines modifiedOffset 111, 42 lines modified
99 ····</ns0:questionnaire>111 ····</ns0:questionnaire>
100 ····<ns0:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1">112 ····<ns0:questionnaire·id="ocil:ssg-service_sssd_enabled_ocil:questionnaire:1">
101 ······<ns0:title>Enable·the·SSSD·Service</ns0:title>113 ······<ns0:title>Enable·the·SSSD·Service</ns0:title>
102 ······<ns0:actions>114 ······<ns0:actions>
103 ········<ns0:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns0:test_action_ref>115 ········<ns0:test_action_ref>ocil:ssg-service_sssd_enabled_action:testaction:1</ns0:test_action_ref>
104 ······</ns0:actions>116 ······</ns0:actions>
105 ····</ns0:questionnaire>117 ····</ns0:questionnaire>
106 ····<ns0:questionnaire·id="ocil:ssg-sysconfig_networking_bootproto_ifcfg_ocil:questionnaire:1"> 
107 ······<ns0:title>Disable·DHCP·Client</ns0:title> 
108 ······<ns0:actions> 
109 ········<ns0:test_action_ref>ocil:ssg-sysconfig_networking_bootproto_ifcfg_action:testaction:1</ns0:test_action_ref> 
110 ······</ns0:actions> 
111 ····</ns0:questionnaire> 
112 ····<ns0:questionnaire·id="ocil:ssg-package_dhcp_removed_ocil:questionnaire:1"> 
113 ······<ns0:title>Uninstall·DHCP·Server·Package</ns0:title> 
114 ······<ns0:actions> 
115 ········<ns0:test_action_ref>ocil:ssg-package_dhcp_removed_action:testaction:1</ns0:test_action_ref> 
116 ······</ns0:actions> 
117 ····</ns0:questionnaire> 
118 ····<ns0:questionnaire·id="ocil:ssg-service_dhcpd_disabled_ocil:questionnaire:1"> 
119 ······<ns0:title>Disable·DHCP·Service</ns0:title> 
120 ······<ns0:actions> 
121 ········<ns0:test_action_ref>ocil:ssg-service_dhcpd_disabled_action:testaction:1</ns0:test_action_ref> 
122 ······</ns0:actions> 
123 ····</ns0:questionnaire> 
124 ····<ns0:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1">118 ····<ns0:questionnaire·id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1">
125 ······<ns0:title>Enable·the·NTP·Daemon</ns0:title>119 ······<ns0:title>Enable·the·NTP·Daemon</ns0:title>
126 ······<ns0:actions>120 ······<ns0:actions>
127 ········<ns0:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns0:test_action_ref>121 ········<ns0:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ns0:test_action_ref>
128 ······</ns0:actions>122 ······</ns0:actions>
Max diff block lines reached; 429590/438406 bytes (97.99%) of diff not shown.
1.78 KB
./usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
1.68 KB
./usr/share/xml/scap/ssg/content/ssg-rhel6-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:32:20</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:27:48</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1">10 ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Set·Password·dcredit·Requirements</ns0:title>12 ········<ns0:title>Set·Password·dcredit·Requirements</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform>14 ··········<ns0:platform>Red·Hat·Enterprise·Linux·6</ns0:platform>
2.08 MB
./usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
2.08 MB
./usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml
    
Offset 162, 1325 lines modifiedOffset 162, 14 lines modified
162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>
163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
164 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>164 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>
165 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>165 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>
166 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>166 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
167 ··</metadata>167 ··</metadata>
168 ··<model·system="urn:xccdf:scoring:default"/>168 ··<model·system="urn:xccdf:scoring:default"/>
169 ··<Profile·id="usgcb-rhel6-server"> 
170 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">United·States·Government·Configuration·Baseline·(USGCB)</title> 
171 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">This·profile·is·a·working·draft·for·a·USGCB·submission·against 
172 RHEL6·Server.</description> 
173 ····<select·idref="kernel_disable_entropy_contribution_for_solid_state_drives"·selected="true"/> 
174 ····<select·idref="partition_for_tmp"·selected="true"/> 
175 ····<select·idref="partition_for_var"·selected="true"/> 
176 ····<select·idref="partition_for_var_log"·selected="true"/> 
177 ····<select·idref="partition_for_var_log_audit"·selected="true"/> 
178 ····<select·idref="partition_for_home"·selected="true"/> 
179 ····<select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> 
180 ····<select·idref="service_rhnsd_disabled"·selected="true"/> 
181 ····<select·idref="security_patches_up_to_date"·selected="true"/> 
182 ····<select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> 
183 ····<select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> 
184 ····<select·idref="package_aide_installed"·selected="true"/> 
185 ····<select·idref="rpm_verify_permissions"·selected="true"/> 
186 ····<select·idref="rpm_verify_hashes"·selected="true"/> 
187 ····<select·idref="mount_option_nodev_nonroot_local_partitions"·selected="true"/> 
188 ····<select·idref="mount_option_nodev_removable_partitions"·selected="true"/> 
189 ····<select·idref="mount_option_noexec_removable_partitions"·selected="true"/> 
190 ····<select·idref="mount_option_nosuid_removable_partitions"·selected="true"/> 
191 ····<select·idref="mount_option_tmp_nodev"·selected="true"/> 
192 ····<select·idref="mount_option_tmp_nosuid"·selected="true"/> 
193 ····<select·idref="mount_option_tmp_noexec"·selected="true"/> 
194 ····<select·idref="mount_option_dev_shm_nodev"·selected="true"/> 
195 ····<select·idref="mount_option_dev_shm_nosuid"·selected="true"/> 
196 ····<select·idref="mount_option_dev_shm_noexec"·selected="true"/> 
197 ····<select·idref="mount_option_var_tmp_bind"·selected="true"/> 
198 ····<select·idref="kernel_module_cramfs_disabled"·selected="true"/> 
199 ····<select·idref="kernel_module_freevxfs_disabled"·selected="true"/> 
200 ····<select·idref="kernel_module_hfs_disabled"·selected="true"/> 
201 ····<select·idref="kernel_module_hfsplus_disabled"·selected="true"/> 
202 ····<select·idref="kernel_module_jffs2_disabled"·selected="true"/> 
203 ····<select·idref="kernel_module_squashfs_disabled"·selected="true"/> 
204 ····<select·idref="kernel_module_udf_disabled"·selected="true"/> 
205 ····<select·idref="file_permissions_etc_gshadow"·selected="true"/> 
206 ····<select·idref="file_owner_etc_gshadow"·selected="true"/> 
207 ····<select·idref="file_groupowner_etc_gshadow"·selected="true"/> 
208 ····<select·idref="file_permissions_etc_shadow"·selected="true"/> 
209 ····<select·idref="userowner_shadow_file"·selected="true"/> 
210 ····<select·idref="groupowner_shadow_file"·selected="true"/> 
211 ····<select·idref="file_permissions_etc_group"·selected="true"/> 
212 ····<select·idref="file_owner_etc_group"·selected="true"/> 
213 ····<select·idref="file_groupowner_etc_group"·selected="true"/> 
214 ····<select·idref="file_permissions_etc_passwd"·selected="true"/> 
215 ····<select·idref="file_owner_etc_passwd"·selected="true"/> 
216 ····<select·idref="file_groupowner_etc_passwd"·selected="true"/> 
217 ····<select·idref="dir_perms_world_writable_sticky_bits"·selected="true"/> 
218 ····<select·idref="file_permissions_unauthorized_world_writable"·selected="true"/> 
219 ····<select·idref="file_permissions_unauthorized_sgid"·selected="true"/> 
220 ····<select·idref="file_permissions_unauthorized_suid"·selected="true"/> 
221 ····<select·idref="no_files_unowned_by_user"·selected="true"/> 
222 ····<select·idref="file_permissions_ungroupowned"·selected="true"/> 
223 ····<select·idref="dir_perms_world_writable_system_owned"·selected="true"/> 
224 ····<select·idref="umask_for_daemons"·selected="true"/> 
225 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> 
226 ····<select·idref="disable_users_coredumps"·selected="true"/> 
227 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> 
228 ····<select·idref="sysctl_kernel_exec_shield"·selected="true"/> 
229 ····<select·idref="install_PAE_kernel_on_x86-32"·selected="true"/> 
230 ····<select·idref="securetty_root_login_console_only"·selected="true"/> 
231 ····<select·idref="restrict_serial_port_logins"·selected="true"/> 
232 ····<select·idref="no_empty_passwords"·selected="true"/> 
233 ····<select·idref="accounts_password_all_shadowed"·selected="true"/> 
234 ····<select·idref="accounts_no_uid_except_zero"·selected="true"/> 
235 ····<select·idref="accounts_password_warn_age_login_defs"·selected="true"/> 
236 ····<select·idref="accounts_maximum_age_login_defs"·selected="true"/> 
237 ····<select·idref="accounts_password_minlen_login_defs"·selected="true"/> 
238 ····<select·idref="accounts_password_pam_retry"·selected="true"/> 
239 ····<select·idref="accounts_password_pam_dcredit"·selected="true"/> 
240 ····<select·idref="accounts_password_pam_ucredit"·selected="true"/> 
241 ····<select·idref="accounts_password_pam_lcredit"·selected="true"/> 
242 ····<select·idref="accounts_password_pam_ocredit"·selected="true"/> 
243 ····<select·idref="accounts_password_pam_difok"·selected="true"/> 
244 ····<select·idref="accounts_passwords_pam_faillock_deny"·selected="true"/> 
245 ····<select·idref="set_password_hashing_algorithm_systemauth"·selected="true"/> 
246 ····<select·idref="set_password_hashing_algorithm_logindefs"·selected="true"/> 
247 ····<select·idref="accounts_password_pam_unix_remember"·selected="true"/> 
248 ····<select·idref="root_path_no_dot"·selected="true"/> 
249 ····<select·idref="accounts_root_path_dirs_no_write"·selected="true"/> 
250 ····<select·idref="file_permissions_home_dirs"·selected="true"/> 
251 ····<select·idref="accounts_umask_etc_bashrc"·selected="true"/> 
252 ····<select·idref="accounts_umask_etc_csh_cshrc"·selected="true"/> 
253 ····<select·idref="accounts_umask_etc_profile"·selected="true"/> 
254 ····<select·idref="accounts_umask_etc_login_defs"·selected="true"/> 
255 ····<select·idref="file_user_owner_grub_conf"·selected="true"/> 
256 ····<select·idref="file_group_owner_grub_conf"·selected="true"/> 
257 ····<select·idref="file_permissions_grub_conf"·selected="true"/> 
258 ····<select·idref="bootloader_password"·selected="true"/> 
259 ····<select·idref="disable_interactive_boot"·selected="true"/> 
260 ····<select·idref="gconf_gnome_screensaver_idle_delay"·selected="true"/> 
261 ····<select·idref="gconf_gnome_screensaver_idle_activation_enabled"·selected="true"/> 
262 ····<select·idref="gconf_gnome_screensaver_lock_enabled"·selected="true"/> 
263 ····<select·idref="gconf_gnome_screensaver_mode_blank"·selected="true"/> 
264 ····<select·idref="banner_etc_issue"·selected="true"/> 
265 ····<select·idref="selinux_state"·selected="true"/> 
266 ····<select·idref="selinux_policytype"·selected="true"/> 
267 ····<select·idref="enable_selinux_bootloader"·selected="true"/> 
268 ····<select·idref="selinux_confinement_of_daemons"·selected="true"/> 
269 ····<select·idref="selinux_all_devicefiles_labeled"·selected="true"/> 
270 ····<select·idref="sysctl_net_ipv4_ip_forward"·selected="true"/> 
271 ····<select·idref="sysctl_net_ipv4_conf_all_send_redirects"·selected="true"/> 
272 ····<select·idref="sysctl_net_ipv4_conf_default_send_redirects"·selected="true"/> 
273 ····<select·idref="sysctl_net_ipv4_conf_all_secure_redirects"·selected="true"/> 
274 ····<select·idref="sysctl_net_ipv4_conf_all_accept_redirects"·selected="true"/> 
275 ····<select·idref="sysctl_net_ipv4_conf_default_accept_source_route"·selected="true"/> 
276 ····<select·idref="sysctl_net_ipv4_conf_default_secure_redirects"·selected="true"/> 
277 ····<select·idref="sysctl_net_ipv4_conf_default_accept_redirects"·selected="true"/> 
278 ····<select·idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses"·selected="true"/> 
279 ····<select·idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts"·selected="true"/> 
280 ····<select·idref="sysctl_net_ipv4_conf_all_log_martians"·selected="true"/> 
281 ····<select·idref="sysctl_net_ipv4_conf_all_rp_filter"·selected="true"/> 
282 ····<select·idref="sysctl_net_ipv4_tcp_syncookies"·selected="true"/> 
283 ····<select·idref="sysctl_net_ipv4_conf_default_rp_filter"·selected="true"/> 
284 ····<select·idref="wireless_disable_in_bios"·selected="true"/> 
285 ····<select·idref="service_bluetooth_disabled"·selected="true"/> 
286 ····<select·idref="network_ipv6_disable_rpc"·selected="true"/> 
287 ····<select·idref="sysctl_net_ipv6_conf_default_accept_ra"·selected="true"/> 
288 ····<select·idref="sysctl_net_ipv6_conf_default_accept_redirects"·selected="true"/> 
Max diff block lines reached; 2087069/2176096 bytes (95.91%) of diff not shown.
1.77 KB
./usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml
1.66 KB
./usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:33:36</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:32:03</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2">10 ····<ns0:definition·class="inventory"·id="oval:ssg-installed_OS_is_centos6:def:1"·version="2">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>CentOS·6</ns0:title>12 ········<ns0:title>CentOS·6</ns0:title>
13 ········<ns0:affected·family="unix"/>13 ········<ns0:affected·family="unix"/>
14 ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/>14 ········<ns0:reference·ref_id="cpe:/o:centos:centos:6"·source="CPE"/>
5.33 MB
./usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
5.33 MB
./usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml
    
Offset 26, 21 lines modifiedOffset 26, 21 lines modified
26 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/>26 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/>
27 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/>27 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/>
28 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/>28 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/>
29 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/>29 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/>
30 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/>30 ······<ds:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·xlink:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/>
31 ····</ds:checks>31 ····</ds:checks>
32 ··</ds:data-stream>32 ··</ds:data-stream>
33 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-11T15:39:02">33 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-12T18:46:05">
34 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">34 ····<ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
35 ······<ns0:generator>35 ······<ns0:generator>
36 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>36 ········<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
37 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>37 ········<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
38 ········<ns2:schema_version>5.11</ns2:schema_version>38 ········<ns2:schema_version>5.11</ns2:schema_version>
39 ········<ns2:timestamp>2020-07-12T03:33:36</ns2:timestamp>39 ········<ns2:timestamp>2020-07-12T04:32:03</ns2:timestamp>
40 ······</ns0:generator>40 ······</ns0:generator>
41 ······<ns0:definitions>41 ······<ns0:definitions>
42 ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1">42 ········<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1">
43 ··········<ns0:metadata>43 ··········<ns0:metadata>
44 ············<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title>44 ············<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title>
45 ············<ns0:affected·family="unix">45 ············<ns0:affected·family="unix">
46 ··············<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform>46 ··············<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform>
Offset 31871, 29 lines modifiedOffset 31871, 23 lines modified
31871 ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>31871 ········<ns0:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>
31872 ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>31872 ········<ns0:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>
31873 ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>31873 ········<ns0:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>
31874 ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>31874 ········<ns0:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>
31875 ······</ns0:variables>31875 ······</ns0:variables>
31876 ····</ns0:oval_definitions>31876 ····</ns0:oval_definitions>
31877 ··</ds:component>31877 ··</ds:component>
31878 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-11T15:39:03">31878 ··<ds:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-12T18:46:05">
31879 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">31879 ····<ns0:ocil·xmlns:ns0="http://scap.nist.gov/schema/ocil/2.0">
31880 ······<ns0:generator>31880 ······<ns0:generator>
31881 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>31881 ········<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
31882 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>31882 ········<ns0:product_version>ssg:·0.1.39</ns0:product_version>
31883 ········<ns0:schema_version>2.0</ns0:schema_version>31883 ········<ns0:schema_version>2.0</ns0:schema_version>
31884 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>31884 ········<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
31885 ······</ns0:generator>31885 ······</ns0:generator>
31886 ······<ns0:questionnaires>31886 ······<ns0:questionnaires>
31887 ········<ns0:questionnaire·id="ocil:ssg-service_docker_enabled_ocil:questionnaire:1"> 
31888 ··········<ns0:title>Enable·the·Docker·service</ns0:title> 
31889 ··········<ns0:actions> 
31890 ············<ns0:test_action_ref>ocil:ssg-service_docker_enabled_action:testaction:1</ns0:test_action_ref> 
31891 ··········</ns0:actions> 
31892 ········</ns0:questionnaire> 
31893 ········<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1">31887 ········<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1">
31894 ··········<ns0:title>Uninstall·rsh·Package</ns0:title>31888 ··········<ns0:title>Uninstall·rsh·Package</ns0:title>
31895 ··········<ns0:actions>31889 ··········<ns0:actions>
31896 ············<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref>31890 ············<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref>
31897 ··········</ns0:actions>31891 ··········</ns0:actions>
31898 ········</ns0:questionnaire>31892 ········</ns0:questionnaire>
31899 ········<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1">31893 ········<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1">
Offset 31952, 26 lines modifiedOffset 31946, 26 lines modified
31952 ········</ns0:questionnaire>31946 ········</ns0:questionnaire>
31953 ········<ns0:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1">31947 ········<ns0:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1">
31954 ··········<ns0:title>Uninstall·telnet-server·Package</ns0:title>31948 ··········<ns0:title>Uninstall·telnet-server·Package</ns0:title>
31955 ··········<ns0:actions>31949 ··········<ns0:actions>
31956 ············<ns0:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns0:test_action_ref>31950 ············<ns0:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns0:test_action_ref>
31957 ··········</ns0:actions>31951 ··········</ns0:actions>
31958 ········</ns0:questionnaire>31952 ········</ns0:questionnaire>
31959 ········<ns0:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> 
31960 ··········<ns0:title>Disable·ypbind·Service</ns0:title> 
31961 ··········<ns0:actions> 
31962 ············<ns0:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns0:test_action_ref> 
31963 ··········</ns0:actions> 
31964 ········</ns0:questionnaire> 
31965 ········<ns0:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1">31953 ········<ns0:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1">
31966 ··········<ns0:title>Remove·NIS·Client</ns0:title>31954 ··········<ns0:title>Remove·NIS·Client</ns0:title>
31967 ··········<ns0:actions>31955 ··········<ns0:actions>
31968 ············<ns0:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns0:test_action_ref>31956 ············<ns0:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns0:test_action_ref>
31969 ··········</ns0:actions>31957 ··········</ns0:actions>
31970 ········</ns0:questionnaire>31958 ········</ns0:questionnaire>
 31959 ········<ns0:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1">
 31960 ··········<ns0:title>Disable·ypbind·Service</ns0:title>
 31961 ··········<ns0:actions>
 31962 ············<ns0:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns0:test_action_ref>
 31963 ··········</ns0:actions>
 31964 ········</ns0:questionnaire>
31971 ········<ns0:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">31965 ········<ns0:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
31972 ··········<ns0:title>Uninstall·ypserv·Package</ns0:title>31966 ··········<ns0:title>Uninstall·ypserv·Package</ns0:title>
31973 ··········<ns0:actions>31967 ··········<ns0:actions>
31974 ············<ns0:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns0:test_action_ref>31968 ············<ns0:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns0:test_action_ref>
31975 ··········</ns0:actions>31969 ··········</ns0:actions>
31976 ········</ns0:questionnaire>31970 ········</ns0:questionnaire>
31977 ········<ns0:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1">31971 ········<ns0:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1">
Offset 31994, 26 lines modifiedOffset 31988, 26 lines modified
31994 ········</ns0:questionnaire>31988 ········</ns0:questionnaire>
31995 ········<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">31989 ········<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
31996 ··········<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title>31990 ··········<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title>
31997 ··········<ns0:actions>31991 ··········<ns0:actions>
31998 ············<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref>31992 ············<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref>
31999 ··········</ns0:actions>31993 ··········</ns0:actions>
32000 ········</ns0:questionnaire>31994 ········</ns0:questionnaire>
32001 ········<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> 
32002 ··········<ns0:title>Disable·xinetd·Service</ns0:title> 
32003 ··········<ns0:actions> 
32004 ············<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> 
32005 ··········</ns0:actions> 
32006 ········</ns0:questionnaire> 
32007 ········<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1">31995 ········<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1">
32008 ··········<ns0:title>Install·tcp_wrappers·Package</ns0:title>31996 ··········<ns0:title>Install·tcp_wrappers·Package</ns0:title>
32009 ··········<ns0:actions>31997 ··········<ns0:actions>
32010 ············<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref>31998 ············<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref>
32011 ··········</ns0:actions>31999 ··········</ns0:actions>
32012 ········</ns0:questionnaire>32000 ········</ns0:questionnaire>
 32001 ········<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1">
 32002 ··········<ns0:title>Disable·xinetd·Service</ns0:title>
 32003 ··········<ns0:actions>
 32004 ············<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref>
 32005 ··········</ns0:actions>
 32006 ········</ns0:questionnaire>
32013 ········<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1">32007 ········<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1">
32014 ··········<ns0:title>Uninstall·xinetd·Package</ns0:title>32008 ··········<ns0:title>Uninstall·xinetd·Package</ns0:title>
32015 ··········<ns0:actions>32009 ··········<ns0:actions>
32016 ············<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref>32010 ············<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref>
32017 ··········</ns0:actions>32011 ··········</ns0:actions>
32018 ········</ns0:questionnaire>32012 ········</ns0:questionnaire>
32019 ········<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">32013 ········<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
Offset 32024, 26 lines modifiedOffset 32018, 38 lines modified
32024 ········</ns0:questionnaire>32018 ········</ns0:questionnaire>
32025 ········<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1">32019 ········<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1">
32026 ··········<ns0:title>Uninstall·talk-server·Package</ns0:title>32020 ··········<ns0:title>Uninstall·talk-server·Package</ns0:title>
32027 ··········<ns0:actions>32021 ··········<ns0:actions>
32028 ············<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref>32022 ············<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref>
32029 ··········</ns0:actions>32023 ··········</ns0:actions>
32030 ········</ns0:questionnaire>32024 ········</ns0:questionnaire>
32031 ········<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1">32025 ········<ns0:questionnaire·id="ocil:ssg-service_dovecot_disabled_ocil:questionnaire:1">
32032 ··········<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title>32026 ··········<ns0:title>Disable·Dovecot·Service</ns0:title>
Max diff block lines reached; 5576108/5585186 bytes (99.84%) of diff not shown.
685 KB
./usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml
685 KB
./usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml
    
Offset 3, 20 lines modifiedOffset 3, 14 lines modified
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>4 ····<ns0:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns0:product_name>
5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>5 ····<ns0:product_version>ssg:·0.1.39</ns0:product_version>
6 ····<ns0:schema_version>2.0</ns0:schema_version>6 ····<ns0:schema_version>2.0</ns0:schema_version>
7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>7 ····<ns0:timestamp>2018-07-26T14:58:28Z</ns0:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:questionnaires>9 ··<ns0:questionnaires>
10 ····<ns0:questionnaire·id="ocil:ssg-service_docker_enabled_ocil:questionnaire:1"> 
11 ······<ns0:title>Enable·the·Docker·service</ns0:title> 
12 ······<ns0:actions> 
13 ········<ns0:test_action_ref>ocil:ssg-service_docker_enabled_action:testaction:1</ns0:test_action_ref> 
14 ······</ns0:actions> 
15 ····</ns0:questionnaire> 
16 ····<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1">10 ····<ns0:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1">
17 ······<ns0:title>Uninstall·rsh·Package</ns0:title>11 ······<ns0:title>Uninstall·rsh·Package</ns0:title>
18 ······<ns0:actions>12 ······<ns0:actions>
19 ········<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref>13 ········<ns0:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns0:test_action_ref>
20 ······</ns0:actions>14 ······</ns0:actions>
21 ····</ns0:questionnaire>15 ····</ns0:questionnaire>
22 ····<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1">16 ····<ns0:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1">
Offset 75, 26 lines modifiedOffset 69, 26 lines modified
75 ····</ns0:questionnaire>69 ····</ns0:questionnaire>
76 ····<ns0:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1">70 ····<ns0:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1">
77 ······<ns0:title>Uninstall·telnet-server·Package</ns0:title>71 ······<ns0:title>Uninstall·telnet-server·Package</ns0:title>
78 ······<ns0:actions>72 ······<ns0:actions>
79 ········<ns0:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns0:test_action_ref>73 ········<ns0:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns0:test_action_ref>
80 ······</ns0:actions>74 ······</ns0:actions>
81 ····</ns0:questionnaire>75 ····</ns0:questionnaire>
82 ····<ns0:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> 
83 ······<ns0:title>Disable·ypbind·Service</ns0:title> 
84 ······<ns0:actions> 
85 ········<ns0:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns0:test_action_ref> 
86 ······</ns0:actions> 
87 ····</ns0:questionnaire> 
88 ····<ns0:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1">76 ····<ns0:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1">
89 ······<ns0:title>Remove·NIS·Client</ns0:title>77 ······<ns0:title>Remove·NIS·Client</ns0:title>
90 ······<ns0:actions>78 ······<ns0:actions>
91 ········<ns0:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns0:test_action_ref>79 ········<ns0:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns0:test_action_ref>
92 ······</ns0:actions>80 ······</ns0:actions>
93 ····</ns0:questionnaire>81 ····</ns0:questionnaire>
 82 ····<ns0:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1">
 83 ······<ns0:title>Disable·ypbind·Service</ns0:title>
 84 ······<ns0:actions>
 85 ········<ns0:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns0:test_action_ref>
 86 ······</ns0:actions>
 87 ····</ns0:questionnaire>
94 ····<ns0:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">88 ····<ns0:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
95 ······<ns0:title>Uninstall·ypserv·Package</ns0:title>89 ······<ns0:title>Uninstall·ypserv·Package</ns0:title>
96 ······<ns0:actions>90 ······<ns0:actions>
97 ········<ns0:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns0:test_action_ref>91 ········<ns0:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns0:test_action_ref>
98 ······</ns0:actions>92 ······</ns0:actions>
99 ····</ns0:questionnaire>93 ····</ns0:questionnaire>
100 ····<ns0:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1">94 ····<ns0:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1">
Offset 117, 26 lines modifiedOffset 111, 26 lines modified
117 ····</ns0:questionnaire>111 ····</ns0:questionnaire>
118 ····<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">112 ····<ns0:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
119 ······<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title>113 ······<ns0:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns0:title>
120 ······<ns0:actions>114 ······<ns0:actions>
121 ········<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref>115 ········<ns0:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns0:test_action_ref>
122 ······</ns0:actions>116 ······</ns0:actions>
123 ····</ns0:questionnaire>117 ····</ns0:questionnaire>
124 ····<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> 
125 ······<ns0:title>Disable·xinetd·Service</ns0:title> 
126 ······<ns0:actions> 
127 ········<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref> 
128 ······</ns0:actions> 
129 ····</ns0:questionnaire> 
130 ····<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1">118 ····<ns0:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1">
131 ······<ns0:title>Install·tcp_wrappers·Package</ns0:title>119 ······<ns0:title>Install·tcp_wrappers·Package</ns0:title>
132 ······<ns0:actions>120 ······<ns0:actions>
133 ········<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref>121 ········<ns0:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns0:test_action_ref>
134 ······</ns0:actions>122 ······</ns0:actions>
135 ····</ns0:questionnaire>123 ····</ns0:questionnaire>
 124 ····<ns0:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1">
 125 ······<ns0:title>Disable·xinetd·Service</ns0:title>
 126 ······<ns0:actions>
 127 ········<ns0:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns0:test_action_ref>
 128 ······</ns0:actions>
 129 ····</ns0:questionnaire>
136 ····<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1">130 ····<ns0:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1">
137 ······<ns0:title>Uninstall·xinetd·Package</ns0:title>131 ······<ns0:title>Uninstall·xinetd·Package</ns0:title>
138 ······<ns0:actions>132 ······<ns0:actions>
139 ········<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref>133 ········<ns0:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns0:test_action_ref>
140 ······</ns0:actions>134 ······</ns0:actions>
141 ····</ns0:questionnaire>135 ····</ns0:questionnaire>
142 ····<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">136 ····<ns0:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
Offset 147, 26 lines modifiedOffset 141, 38 lines modified
147 ····</ns0:questionnaire>141 ····</ns0:questionnaire>
148 ····<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1">142 ····<ns0:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1">
149 ······<ns0:title>Uninstall·talk-server·Package</ns0:title>143 ······<ns0:title>Uninstall·talk-server·Package</ns0:title>
150 ······<ns0:actions>144 ······<ns0:actions>
151 ········<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref>145 ········<ns0:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns0:test_action_ref>
152 ······</ns0:actions>146 ······</ns0:actions>
153 ····</ns0:questionnaire>147 ····</ns0:questionnaire>
154 ····<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1">148 ····<ns0:questionnaire·id="ocil:ssg-service_dovecot_disabled_ocil:questionnaire:1">
155 ······<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title>149 ······<ns0:title>Disable·Dovecot·Service</ns0:title>
156 ······<ns0:actions>150 ······<ns0:actions>
157 ········<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref>151 ········<ns0:test_action_ref>ocil:ssg-service_dovecot_disabled_action:testaction:1</ns0:test_action_ref>
 152 ······</ns0:actions>
 153 ····</ns0:questionnaire>
 154 ····<ns0:questionnaire·id="ocil:ssg-package_dovecot_removed_ocil:questionnaire:1">
 155 ······<ns0:title>Uninstall·dovecot·Package</ns0:title>
 156 ······<ns0:actions>
 157 ········<ns0:test_action_ref>ocil:ssg-package_dovecot_removed_action:testaction:1</ns0:test_action_ref>
158 ······</ns0:actions>158 ······</ns0:actions>
159 ····</ns0:questionnaire>159 ····</ns0:questionnaire>
160 ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1">160 ····<ns0:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1">
161 ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title>161 ······<ns0:title>Enable·Logging·of·All·FTP·Transactions</ns0:title>
162 ······<ns0:actions>162 ······<ns0:actions>
163 ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref>163 ········<ns0:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns0:test_action_ref>
164 ······</ns0:actions>164 ······</ns0:actions>
165 ····</ns0:questionnaire>165 ····</ns0:questionnaire>
 166 ····<ns0:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1">
 167 ······<ns0:title>Create·Warning·Banners·for·All·FTP·Users</ns0:title>
 168 ······<ns0:actions>
 169 ········<ns0:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns0:test_action_ref>
 170 ······</ns0:actions>
 171 ····</ns0:questionnaire>
166 ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1">172 ····<ns0:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1">
167 ······<ns0:title>Disable·vsftpd·Service</ns0:title>173 ······<ns0:title>Disable·vsftpd·Service</ns0:title>
168 ······<ns0:actions>174 ······<ns0:actions>
169 ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref>175 ········<ns0:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns0:test_action_ref>
170 ······</ns0:actions>176 ······</ns0:actions>
171 ····</ns0:questionnaire>177 ····</ns0:questionnaire>
172 ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1">178 ····<ns0:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1">
Offset 225, 26 lines modifiedOffset 231, 26 lines modified
225 ····</ns0:questionnaire>231 ····</ns0:questionnaire>
Max diff block lines reached; 694596/701458 bytes (99.02%) of diff not shown.
1.8 KB
./usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml
1.7 KB
./usr/share/xml/scap/ssg/content/ssg-rhel7-oval.xml
    
Offset 1, 14 lines modifiedOffset 1, 14 lines modified
1 <?xml·version="1.0"·encoding="utf-8"?>1 <?xml·version="1.0"·encoding="utf-8"?>
2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">2 <ns0:oval_definitions·xmlns:ns0="http://oval.mitre.org/XMLSchema/oval-definitions-5"·xmlns:ns2="http://oval.mitre.org/XMLSchema/oval-common-5"·xmlns:ns3="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"·xmlns:ns4="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix"·xmlns:ns5="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux"·xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
3 ··<ns0:generator>3 ··<ns0:generator>
4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>4 ····<ns2:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns2:product_name>
5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>5 ····<ns2:product_version>ssg:·0.1.39,·python:·2.7.16</ns2:product_version>
6 ····<ns2:schema_version>5.11</ns2:schema_version>6 ····<ns2:schema_version>5.11</ns2:schema_version>
7 ····<ns2:timestamp>2020-07-12T03:33:36</ns2:timestamp>7 ····<ns2:timestamp>2020-07-12T04:32:03</ns2:timestamp>
8 ··</ns0:generator>8 ··</ns0:generator>
9 ··<ns0:definitions>9 ··<ns0:definitions>
10 ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1">10 ····<ns0:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1">
11 ······<ns0:metadata>11 ······<ns0:metadata>
12 ········<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title>12 ········<ns0:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns0:title>
13 ········<ns0:affected·family="unix">13 ········<ns0:affected·family="unix">
14 ··········<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform>14 ··········<ns0:platform>Red·Hat·Enterprise·Linux·7</ns0:platform>
2.11 MB
./usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
2.11 MB
./usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
    
Offset 162, 348 lines modifiedOffset 162, 14 lines modified
162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>162 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>
163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>163 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
164 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>164 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>
165 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>165 ····<dc:contributor·xmlns:dc="http://purl.org/dc/elements/1.1/">Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>
166 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>166 ····<dc:source·xmlns:dc="http://purl.org/dc/elements/1.1/">https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
167 ··</metadata>167 ··</metadata>
168 ··<model·system="urn:xccdf:scoring:default"/>168 ··<model·system="urn:xccdf:scoring:default"/>
169 ··<Profile·id="hipaa"> 
170 ····<title·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">Health·Insurance·Portability·and·Accountability·Act·(HIPAA)</title> 
171 ····<description·override="true"·xml:lang="en-US"·xmlns:xhtml="http://www.w3.org/1999/xhtml">The·HIPAA·Security·Rule·establishes·U.S.·national·standards·to·protect·individuals’ 
172 electronic·personal·health·information·that·is·created,·received,·used,·or 
173 maintained·by·a·covered·entity.·The·Security·Rule·requires·appropriate 
174 administrative,·physical·and·technical·safeguards·to·ensure·the 
175 confidentiality,·integrity,·and·security·of·electronic·protected·health 
176 information. 
  
177 This·profile·configures·Red·Hat·Enterprise·Linux·7·to·the·HIPAA·Security 
178 Rule·identified·for·securing·of·electronic·protected·health·information.</description> 
179 ····<select·idref="bootloader_password"·selected="true"/> 
180 ····<select·idref="bootloader_uefi_password"·selected="true"/> 
181 ····<select·idref="file_group_owner_grub2_cfg"·selected="true"/> 
182 ····<select·idref="file_permissions_grub2_cfg"·selected="true"/> 
183 ····<select·idref="file_user_owner_grub2_cfg"·selected="true"/> 
184 ····<select·idref="disable_interactive_boot"·selected="true"/> 
185 ····<select·idref="no_direct_root_logins"·selected="true"/> 
186 ····<select·idref="no_empty_passwords"·selected="true"/> 
187 ····<select·idref="require_singleuser_auth"·selected="true"/> 
188 ····<select·idref="restrict_serial_port_logins"·selected="true"/> 
189 ····<select·idref="securetty_root_login_console_only"·selected="true"/> 
190 ····<select·idref="service_debug-shell_disabled"·selected="true"/> 
191 ····<select·idref="disable_ctrlaltdel_reboot"·selected="true"/> 
192 ····<select·idref="disable_ctrlaltdel_burstaction"·selected="true"/> 
193 ····<select·idref="dconf_gnome_remote_access_credential_prompt"·selected="true"/> 
194 ····<select·idref="dconf_gnome_remote_access_encryption"·selected="true"/> 
195 ····<select·idref="sshd_disable_empty_passwords"·selected="true"/> 
196 ····<select·idref="sshd_disable_root_login"·selected="true"/> 
197 ····<select·idref="libreswan_approved_tunnels"·selected="true"/> 
198 ····<select·idref="no_rsh_trust_files"·selected="true"/> 
199 ····<select·idref="package_rsh_removed"·selected="true"/> 
200 ····<select·idref="package_rsh-server_removed"·selected="true"/> 
201 ····<select·idref="package_talk_removed"·selected="true"/> 
202 ····<select·idref="package_talk-server_removed"·selected="true"/> 
203 ····<select·idref="package_telnet_removed"·selected="true"/> 
204 ····<select·idref="package_telnet-server_removed"·selected="true"/> 
205 ····<select·idref="package_xinetd_removed"·selected="true"/> 
206 ····<select·idref="package_ypbind_removed"·selected="true"/> 
207 ····<select·idref="package_ypserv_removed"·selected="true"/> 
208 ····<select·idref="service_crond_enabled"·selected="true"/> 
209 ····<select·idref="service_rexec_disabled"·selected="true"/> 
210 ····<select·idref="service_rlogin_disabled"·selected="true"/> 
211 ····<select·idref="service_rsh_disabled"·selected="true"/> 
212 ····<select·idref="service_telnet_disabled"·selected="true"/> 
213 ····<select·idref="service_xinetd_disabled"·selected="true"/> 
214 ····<select·idref="service_ypbind_disabled"·selected="true"/> 
215 ····<select·idref="service_zebra_disabled"·selected="true"/> 
216 ····<select·idref="use_kerberos_security_all_exports"·selected="true"/> 
217 ····<select·idref="disable_host_auth"·selected="true"/> 
218 ····<select·idref="sshd_allow_only_protocol2"·selected="true"/> 
219 ····<select·idref="sshd_disable_compression"·selected="true"/> 
220 ····<select·idref="sshd_disable_gssapi_auth"·selected="true"/> 
221 ····<select·idref="sshd_disable_kerb_auth"·selected="true"/> 
222 ····<select·idref="sshd_disable_rhosts_rsa"·selected="true"/> 
223 ····<select·idref="sshd_disable_rhosts"·selected="true"/> 
224 ····<select·idref="sshd_disable_user_known_hosts"·selected="true"/> 
225 ····<select·idref="sshd_do_not_permit_user_env"·selected="true"/> 
226 ····<select·idref="sshd_enable_strictmodes"·selected="true"/> 
227 ····<select·idref="sshd_enable_warning_banner"·selected="true"/> 
228 ····<select·idref="sshd_set_keepalive"·selected="true"/> 
229 ····<select·idref="sshd_use_priv_separation"·selected="true"/> 
230 ····<select·idref="encrypt_partitions"·selected="true"/> 
231 ····<select·idref="sshd_use_approved_ciphers"·selected="true"/> 
232 ····<select·idref="sshd_use_approved_macs"·selected="true"/> 
233 ····<select·idref="enable_selinux_bootloader"·selected="true"/> 
234 ····<select·idref="sebool_selinuxuser_execheap"·selected="true"/> 
235 ····<select·idref="sebool_selinuxuser_execmod"·selected="true"/> 
236 ····<select·idref="sebool_selinuxuser_execstack"·selected="true"/> 
237 ····<select·idref="selinux_confinement_of_daemons"·selected="true"/> 
238 ····<select·idref="selinux_policytype"·selected="true"/> 
239 ····<select·idref="selinux_state"·selected="true"/> 
240 ····<select·idref="service_kdump_disabled"·selected="true"/> 
241 ····<select·idref="sysctl_fs_suid_dumpable"·selected="true"/> 
242 ····<select·idref="sysctl_kernel_dmesg_restrict"·selected="true"/> 
243 ····<select·idref="sysctl_kernel_exec_shield"·selected="true"/> 
244 ····<select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> 
245 ····<select·idref="rpm_verify_hashes"·selected="true"/> 
246 ····<select·idref="rpm_verify_permissions"·selected="true"/> 
247 ····<select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> 
248 ····<select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> 
249 ····<select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> 
250 ····<select·idref="ensure_gpgcheck_repo_metadata"·selected="true"/> 
251 ····<select·idref="ensure_gpgcheck_local_packages"·selected="true"/> 
252 ····<select·idref="bootloader_audit_argument"·selected="true"/> 
253 ····<select·idref="service_auditd_enabled"·selected="true"/> 
254 ····<select·idref="audit_rules_privileged_commands_sudo"·selected="true"/> 
255 ····<select·idref="audit_rules_privileged_commands_su"·selected="true"/> 
256 ····<select·idref="audit_rules_immutable"·selected="true"/> 
257 ····<select·idref="kernel_module_usb-storage_disabled"·selected="true"/> 
258 ····<select·idref="service_autofs_disabled"·selected="true"/> 
259 ····<select·idref="auditd_audispd_syslog_plugin_activated"·selected="true"/> 
260 ····<select·idref="rsyslog_remote_loghost"·selected="true"/> 
261 ····<select·idref="auditd_data_retention_flush"·selected="true"/> 
262 ····<select·idref="audit_rules_dac_modification_chmod"·selected="true"/> 
263 ····<select·idref="audit_rules_dac_modification_chown"·selected="true"/> 
264 ····<select·idref="audit_rules_dac_modification_fchmodat"·selected="true"/> 
265 ····<select·idref="audit_rules_dac_modification_fchmod"·selected="true"/> 
266 ····<select·idref="audit_rules_dac_modification_fchownat"·selected="true"/> 
267 ····<select·idref="audit_rules_dac_modification_fchown"·selected="true"/> 
268 ····<select·idref="audit_rules_dac_modification_fremovexattr"·selected="true"/> 
269 ····<select·idref="audit_rules_dac_modification_fsetxattr"·selected="true"/> 
270 ····<select·idref="audit_rules_dac_modification_lchown"·selected="true"/> 
271 ····<select·idref="audit_rules_dac_modification_lremovexattr"·selected="true"/> 
272 ····<select·idref="audit_rules_dac_modification_lsetxattr"·selected="true"/> 
273 ····<select·idref="audit_rules_dac_modification_removexattr"·selected="true"/> 
274 ····<select·idref="audit_rules_dac_modification_setxattr"·selected="true"/> 
275 ····<select·idref="audit_rules_execution_chcon"·selected="true"/> 
276 ····<select·idref="audit_rules_execution_restorecon"·selected="true"/> 
277 ····<select·idref="audit_rules_execution_semanage"·selected="true"/> 
278 ····<select·idref="audit_rules_execution_setsebool"·selected="true"/> 
279 ····<select·idref="audit_rules_file_deletion_events_renameat"·selected="true"/> 
280 ····<select·idref="audit_rules_file_deletion_events_rename"·selected="true"/> 
281 ····<select·idref="audit_rules_file_deletion_events_rmdir"·selected="true"/> 
282 ····<select·idref="audit_rules_file_deletion_events_unlinkat"·selected="true"/> 
283 ····<select·idref="audit_rules_file_deletion_events_unlink"·selected="true"/> 
284 ····<select·idref="audit_rules_kernel_module_loading_delete"·selected="true"/> 
285 ····<select·idref="audit_rules_kernel_module_loading_init"·selected="true"/> 
286 ····<select·idref="audit_rules_kernel_module_loading_insmod"·selected="true"/> 
287 ····<select·idref="audit_rules_kernel_module_loading_modprobe"·selected="true"/> 
Max diff block lines reached; 2192057/2214806 bytes (98.97%) of diff not shown.
3.7 MB
./usr/share/xml/scap/ssg/content/ssg-sl6-ds.xml
3.7 MB
./usr/share/xml/scap/ssg/content/ssg-sl6-ds.xml
    
Offset 26, 21 lines modifiedOffset 26, 21 lines modified
26 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/>26 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml"/>
27 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/>27 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml"/>
28 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/>28 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-cpe-oval.xml"/>
29 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/>29 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-oval.xml000"/>
30 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/>30 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel6-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel6-ocil.xml000"/>
31 ····</ns0:checks>31 ····</ns0:checks>
32 ··</ns0:data-stream>32 ··</ns0:data-stream>
33 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-11T15:39:01">33 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-oval.xml"·timestamp="2020-07-12T18:46:00">
34 ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">34 ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
35 ······<ns3:generator>35 ······<ns3:generator>
36 ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name>36 ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name>
37 ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version>37 ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version>
38 ········<ns5:schema_version>5.11</ns5:schema_version>38 ········<ns5:schema_version>5.11</ns5:schema_version>
39 ········<ns5:timestamp>2020-07-12T03:32:20</ns5:timestamp>39 ········<ns5:timestamp>2020-07-12T04:27:48</ns5:timestamp>
40 ······</ns3:generator>40 ······</ns3:generator>
41 ······<ns3:definitions>41 ······<ns3:definitions>
42 ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1">42 ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_password_pam_dcredit:def:1"·version="1">
43 ··········<ns3:metadata>43 ··········<ns3:metadata>
44 ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title>44 ············<ns3:title>Set·Password·dcredit·Requirements</ns3:title>
45 ············<ns3:affected·family="unix">45 ············<ns3:affected·family="unix">
46 ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform>46 ··············<ns3:platform>Red·Hat·Enterprise·Linux·6</ns3:platform>
Offset 27893, 87 lines modifiedOffset 27893, 99 lines modified
27893 ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>27893 ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>
27894 ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>27894 ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>
27895 ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>27895 ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>
27896 ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>27896 ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>
27897 ······</ns3:variables>27897 ······</ns3:variables>
27898 ····</ns3:oval_definitions>27898 ····</ns3:oval_definitions>
27899 ··</ns0:component>27899 ··</ns0:component>
27900 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-11T15:39:01">27900 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel6-ocil.xml"·timestamp="2020-07-12T18:46:00">
27901 ····<ns9:ocil>27901 ····<ns9:ocil>
27902 ······<ns9:generator>27902 ······<ns9:generator>
27903 ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name>27903 ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name>
27904 ········<ns9:product_version>ssg:·0.1.39</ns9:product_version>27904 ········<ns9:product_version>ssg:·0.1.39</ns9:product_version>
27905 ········<ns9:schema_version>2.0</ns9:schema_version>27905 ········<ns9:schema_version>2.0</ns9:schema_version>
27906 ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp>27906 ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp>
27907 ······</ns9:generator>27907 ······</ns9:generator>
27908 ······<ns9:questionnaires>27908 ······<ns9:questionnaires>
27909 ········<ns9:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">27909 ········<ns9:questionnaire·id="ocil:ssg-ftp_log_transactions_ocil:questionnaire:1">
27910 ··········<ns9:title>Disable·Samba</ns9:title>27910 ··········<ns9:title>Enable·Logging·of·All·FTP·Transactions</ns9:title>
27911 ··········<ns9:actions> 
27912 ············<ns9:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns9:test_action_ref> 
27913 ··········</ns9:actions> 
27914 ········</ns9:questionnaire> 
27915 ········<ns9:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1"> 
27916 ··········<ns9:title>Uninstall·samba·Package</ns9:title> 
27917 ··········<ns9:actions>27911 ··········<ns9:actions>
27918 ············<ns9:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns9:test_action_ref>27912 ············<ns9:test_action_ref>ocil:ssg-ftp_log_transactions_action:testaction:1</ns9:test_action_ref>
27919 ··········</ns9:actions>27913 ··········</ns9:actions>
27920 ········</ns9:questionnaire>27914 ········</ns9:questionnaire>
27921 ········<ns9:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">27915 ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1">
27922 ··········<ns9:title>Install·the·Samba·Common·Package</ns9:title>27916 ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title>
27923 ··········<ns9:actions>27917 ··········<ns9:actions>
27924 ············<ns9:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns9:test_action_ref>27918 ············<ns9:test_action_ref>ocil:ssg-ftp_present_banner_action:testaction:1</ns9:test_action_ref>
27925 ··········</ns9:actions>27919 ··········</ns9:actions>
27926 ········</ns9:questionnaire>27920 ········</ns9:questionnaire>
27927 ········<ns9:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1">27921 ········<ns9:questionnaire·id="ocil:ssg-service_vsftpd_disabled_ocil:questionnaire:1">
27928 ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns9:title>27922 ··········<ns9:title>Disable·vsftpd·Service</ns9:title>
27929 ··········<ns9:actions>27923 ··········<ns9:actions>
27930 ············<ns9:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns9:test_action_ref>27924 ············<ns9:test_action_ref>ocil:ssg-service_vsftpd_disabled_action:testaction:1</ns9:test_action_ref>
27931 ··········</ns9:actions>27925 ··········</ns9:actions>
27932 ········</ns9:questionnaire>27926 ········</ns9:questionnaire>
27933 ········<ns9:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1">27927 ········<ns9:questionnaire·id="ocil:ssg-package_vsftpd_removed_ocil:questionnaire:1">
27934 ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns9:title>27928 ··········<ns9:title>Uninstall·vsftpd·Package</ns9:title>
27935 ··········<ns9:actions>27929 ··········<ns9:actions>
27936 ············<ns9:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns9:test_action_ref>27930 ············<ns9:test_action_ref>ocil:ssg-package_vsftpd_removed_action:testaction:1</ns9:test_action_ref>
27937 ··········</ns9:actions>27931 ··········</ns9:actions>
27938 ········</ns9:questionnaire>27932 ········</ns9:questionnaire>
27939 ········<ns9:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1">27933 ········<ns9:questionnaire·id="ocil:ssg-service_httpd_disabled_ocil:questionnaire:1">
27940 ··········<ns9:title>Disable·httpd·Service</ns9:title>27934 ··········<ns9:title>Disable·httpd·Service</ns9:title>
27941 ··········<ns9:actions>27935 ··········<ns9:actions>
27942 ············<ns9:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns9:test_action_ref>27936 ············<ns9:test_action_ref>ocil:ssg-service_httpd_disabled_action:testaction:1</ns9:test_action_ref>
27943 ··········</ns9:actions>27937 ··········</ns9:actions>
27944 ········</ns9:questionnaire>27938 ········</ns9:questionnaire>
27945 ········<ns9:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1">27939 ········<ns9:questionnaire·id="ocil:ssg-package_httpd_removed_ocil:questionnaire:1">
27946 ··········<ns9:title>Uninstall·httpd·Package</ns9:title>27940 ··········<ns9:title>Uninstall·httpd·Package</ns9:title>
27947 ··········<ns9:actions>27941 ··········<ns9:actions>
27948 ············<ns9:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns9:test_action_ref>27942 ············<ns9:test_action_ref>ocil:ssg-package_httpd_removed_action:testaction:1</ns9:test_action_ref>
27949 ··········</ns9:actions>27943 ··········</ns9:actions>
27950 ········</ns9:questionnaire>27944 ········</ns9:questionnaire>
27951 ········<ns9:questionnaire·id="ocil:ssg-postfix_client_configure_mail_alias_ocil:questionnaire:1">27945 ········<ns9:questionnaire·id="ocil:ssg-service_named_disabled_ocil:questionnaire:1">
27952 ··········<ns9:title>Configure·System·to·Forward·All·Mail·For·The·Root·Account</ns9:title>27946 ··········<ns9:title>Disable·DNS·Server</ns9:title>
27953 ··········<ns9:actions>27947 ··········<ns9:actions>
27954 ············<ns9:test_action_ref>ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1</ns9:test_action_ref>27948 ············<ns9:test_action_ref>ocil:ssg-service_named_disabled_action:testaction:1</ns9:test_action_ref>
27955 ··········</ns9:actions>27949 ··········</ns9:actions>
27956 ········</ns9:questionnaire>27950 ········</ns9:questionnaire>
27957 ········<ns9:questionnaire·id="ocil:ssg-postfix_network_listening_disabled_ocil:questionnaire:1">27951 ········<ns9:questionnaire·id="ocil:ssg-package_bind_removed_ocil:questionnaire:1">
27958 ··········<ns9:title>Disable·Postfix·Network·Listening</ns9:title>27952 ··········<ns9:title>Uninstall·bind·Package</ns9:title>
27959 ··········<ns9:actions>27953 ··········<ns9:actions>
27960 ············<ns9:test_action_ref>ocil:ssg-postfix_network_listening_disabled_action:testaction:1</ns9:test_action_ref>27954 ············<ns9:test_action_ref>ocil:ssg-package_bind_removed_action:testaction:1</ns9:test_action_ref>
27961 ··········</ns9:actions>27955 ··········</ns9:actions>
27962 ········</ns9:questionnaire>27956 ········</ns9:questionnaire>
27963 ········<ns9:questionnaire·id="ocil:ssg-package_sendmail_removed_ocil:questionnaire:1">27957 ········<ns9:questionnaire·id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">
27964 ··········<ns9:title>Uninstall·Sendmail·Package</ns9:title>27958 ··········<ns9:title>Disable·Samba</ns9:title>
27965 ··········<ns9:actions>27959 ··········<ns9:actions>
27966 ············<ns9:test_action_ref>ocil:ssg-package_sendmail_removed_action:testaction:1</ns9:test_action_ref>27960 ············<ns9:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ns9:test_action_ref>
27967 ··········</ns9:actions>27961 ··········</ns9:actions>
27968 ········</ns9:questionnaire>27962 ········</ns9:questionnaire>
27969 ········<ns9:questionnaire·id="ocil:ssg-service_postfix_enabled_ocil:questionnaire:1">27963 ········<ns9:questionnaire·id="ocil:ssg-package_samba_removed_ocil:questionnaire:1">
27970 ··········<ns9:title>Enable·Postfix·Service</ns9:title>27964 ··········<ns9:title>Uninstall·samba·Package</ns9:title>
27971 ··········<ns9:actions>27965 ··········<ns9:actions>
27972 ············<ns9:test_action_ref>ocil:ssg-service_postfix_enabled_action:testaction:1</ns9:test_action_ref>27966 ············<ns9:test_action_ref>ocil:ssg-package_samba_removed_action:testaction:1</ns9:test_action_ref>
 27967 ··········</ns9:actions>
 27968 ········</ns9:questionnaire>
 27969 ········<ns9:questionnaire·id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
 27970 ··········<ns9:title>Install·the·Samba·Common·Package</ns9:title>
 27971 ··········<ns9:actions>
 27972 ············<ns9:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ns9:test_action_ref>
 27973 ··········</ns9:actions>
 27974 ········</ns9:questionnaire>
 27975 ········<ns9:questionnaire·id="ocil:ssg-require_smb_client_signing_ocil:questionnaire:1">
 27976 ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·smbclient</ns9:title>
 27977 ··········<ns9:actions>
 27978 ············<ns9:test_action_ref>ocil:ssg-require_smb_client_signing_action:testaction:1</ns9:test_action_ref>
 27979 ··········</ns9:actions>
 27980 ········</ns9:questionnaire>
 27981 ········<ns9:questionnaire·id="ocil:ssg-mount_option_smb_client_signing_ocil:questionnaire:1">
 27982 ··········<ns9:title>Require·Client·SMB·Packet·Signing,·if·using·mount.cifs</ns9:title>
 27983 ··········<ns9:actions>
 27984 ············<ns9:test_action_ref>ocil:ssg-mount_option_smb_client_signing_action:testaction:1</ns9:test_action_ref>
27973 ··········</ns9:actions>27985 ··········</ns9:actions>
27974 ········</ns9:questionnaire>27986 ········</ns9:questionnaire>
27975 ········<ns9:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1">27987 ········<ns9:questionnaire·id="ocil:ssg-sssd_memcache_timeout_ocil:questionnaire:1">
27976 ··········<ns9:title>Configure·SSSD's·Memory·Cache·to·Expire</ns9:title>27988 ··········<ns9:title>Configure·SSSD's·Memory·Cache·to·Expire</ns9:title>
27977 ··········<ns9:actions>27989 ··········<ns9:actions>
27978 ············<ns9:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns9:test_action_ref>27990 ············<ns9:test_action_ref>ocil:ssg-sssd_memcache_timeout_action:testaction:1</ns9:test_action_ref>
27979 ··········</ns9:actions>27991 ··········</ns9:actions>
Max diff block lines reached; 3871933/3882742 bytes (99.72%) of diff not shown.
1.68 MB
./usr/share/xml/scap/ssg/content/ssg-sl6-xccdf.xml
1.68 MB
./usr/share/xml/scap/ssg/content/ssg-sl6-xccdf.xml
    
Offset 221, 1325 lines modifiedOffset 221, 14 lines modified
221 ····<dc:contributor>Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>221 ····<dc:contributor>Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>
222 ····<dc:contributor>Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>222 ····<dc:contributor>Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
223 ····<dc:contributor>Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>223 ····<dc:contributor>Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>
224 ····<dc:contributor>Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>224 ····<dc:contributor>Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>
225 ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>225 ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
226 ··</ns0:metadata>226 ··</ns0:metadata>
227 ··<ns0:model·system="urn:xccdf:scoring:default"/>227 ··<ns0:model·system="urn:xccdf:scoring:default"/>
228 ··<ns0:Profile·id="usgcb-rhel6-server"> 
229 ····<ns0:title·override="true"·xml:lang="en-US">United·States·Government·Configuration·Baseline·(USGCB)</ns0:title> 
230 ····<ns0:description·override="true"·xml:lang="en-US">This·profile·is·a·working·draft·for·a·USGCB·submission·against 
231 RHEL6·Server.</ns0:description> 
232 ····<ns0:select·idref="kernel_disable_entropy_contribution_for_solid_state_drives"·selected="true"/> 
233 ····<ns0:select·idref="partition_for_tmp"·selected="true"/> 
234 ····<ns0:select·idref="partition_for_var"·selected="true"/> 
235 ····<ns0:select·idref="partition_for_var_log"·selected="true"/> 
236 ····<ns0:select·idref="partition_for_var_log_audit"·selected="true"/> 
237 ····<ns0:select·idref="partition_for_home"·selected="true"/> 
238 ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> 
239 ····<ns0:select·idref="service_rhnsd_disabled"·selected="true"/> 
240 ····<ns0:select·idref="security_patches_up_to_date"·selected="true"/> 
241 ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> 
242 ····<ns0:select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> 
243 ····<ns0:select·idref="package_aide_installed"·selected="true"/> 
244 ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> 
245 ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> 
246 ····<ns0:select·idref="mount_option_nodev_nonroot_local_partitions"·selected="true"/> 
247 ····<ns0:select·idref="mount_option_nodev_removable_partitions"·selected="true"/> 
248 ····<ns0:select·idref="mount_option_noexec_removable_partitions"·selected="true"/> 
249 ····<ns0:select·idref="mount_option_nosuid_removable_partitions"·selected="true"/> 
250 ····<ns0:select·idref="mount_option_tmp_nodev"·selected="true"/> 
251 ····<ns0:select·idref="mount_option_tmp_nosuid"·selected="true"/> 
252 ····<ns0:select·idref="mount_option_tmp_noexec"·selected="true"/> 
253 ····<ns0:select·idref="mount_option_dev_shm_nodev"·selected="true"/> 
254 ····<ns0:select·idref="mount_option_dev_shm_nosuid"·selected="true"/> 
255 ····<ns0:select·idref="mount_option_dev_shm_noexec"·selected="true"/> 
256 ····<ns0:select·idref="mount_option_var_tmp_bind"·selected="true"/> 
257 ····<ns0:select·idref="kernel_module_cramfs_disabled"·selected="true"/> 
258 ····<ns0:select·idref="kernel_module_freevxfs_disabled"·selected="true"/> 
259 ····<ns0:select·idref="kernel_module_hfs_disabled"·selected="true"/> 
260 ····<ns0:select·idref="kernel_module_hfsplus_disabled"·selected="true"/> 
261 ····<ns0:select·idref="kernel_module_jffs2_disabled"·selected="true"/> 
262 ····<ns0:select·idref="kernel_module_squashfs_disabled"·selected="true"/> 
263 ····<ns0:select·idref="kernel_module_udf_disabled"·selected="true"/> 
264 ····<ns0:select·idref="file_permissions_etc_gshadow"·selected="true"/> 
265 ····<ns0:select·idref="file_owner_etc_gshadow"·selected="true"/> 
266 ····<ns0:select·idref="file_groupowner_etc_gshadow"·selected="true"/> 
267 ····<ns0:select·idref="file_permissions_etc_shadow"·selected="true"/> 
268 ····<ns0:select·idref="userowner_shadow_file"·selected="true"/> 
269 ····<ns0:select·idref="groupowner_shadow_file"·selected="true"/> 
270 ····<ns0:select·idref="file_permissions_etc_group"·selected="true"/> 
271 ····<ns0:select·idref="file_owner_etc_group"·selected="true"/> 
272 ····<ns0:select·idref="file_groupowner_etc_group"·selected="true"/> 
273 ····<ns0:select·idref="file_permissions_etc_passwd"·selected="true"/> 
274 ····<ns0:select·idref="file_owner_etc_passwd"·selected="true"/> 
275 ····<ns0:select·idref="file_groupowner_etc_passwd"·selected="true"/> 
276 ····<ns0:select·idref="dir_perms_world_writable_sticky_bits"·selected="true"/> 
277 ····<ns0:select·idref="file_permissions_unauthorized_world_writable"·selected="true"/> 
278 ····<ns0:select·idref="file_permissions_unauthorized_sgid"·selected="true"/> 
279 ····<ns0:select·idref="file_permissions_unauthorized_suid"·selected="true"/> 
280 ····<ns0:select·idref="no_files_unowned_by_user"·selected="true"/> 
281 ····<ns0:select·idref="file_permissions_ungroupowned"·selected="true"/> 
282 ····<ns0:select·idref="dir_perms_world_writable_system_owned"·selected="true"/> 
283 ····<ns0:select·idref="umask_for_daemons"·selected="true"/> 
284 ····<ns0:select·idref="sysctl_fs_suid_dumpable"·selected="true"/> 
285 ····<ns0:select·idref="disable_users_coredumps"·selected="true"/> 
286 ····<ns0:select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> 
287 ····<ns0:select·idref="sysctl_kernel_exec_shield"·selected="true"/> 
288 ····<ns0:select·idref="install_PAE_kernel_on_x86-32"·selected="true"/> 
289 ····<ns0:select·idref="securetty_root_login_console_only"·selected="true"/> 
290 ····<ns0:select·idref="restrict_serial_port_logins"·selected="true"/> 
291 ····<ns0:select·idref="no_empty_passwords"·selected="true"/> 
292 ····<ns0:select·idref="accounts_password_all_shadowed"·selected="true"/> 
293 ····<ns0:select·idref="accounts_no_uid_except_zero"·selected="true"/> 
294 ····<ns0:select·idref="accounts_password_warn_age_login_defs"·selected="true"/> 
295 ····<ns0:select·idref="accounts_maximum_age_login_defs"·selected="true"/> 
296 ····<ns0:select·idref="accounts_password_minlen_login_defs"·selected="true"/> 
297 ····<ns0:select·idref="accounts_password_pam_retry"·selected="true"/> 
298 ····<ns0:select·idref="accounts_password_pam_dcredit"·selected="true"/> 
299 ····<ns0:select·idref="accounts_password_pam_ucredit"·selected="true"/> 
300 ····<ns0:select·idref="accounts_password_pam_lcredit"·selected="true"/> 
301 ····<ns0:select·idref="accounts_password_pam_ocredit"·selected="true"/> 
302 ····<ns0:select·idref="accounts_password_pam_difok"·selected="true"/> 
303 ····<ns0:select·idref="accounts_passwords_pam_faillock_deny"·selected="true"/> 
304 ····<ns0:select·idref="set_password_hashing_algorithm_systemauth"·selected="true"/> 
305 ····<ns0:select·idref="set_password_hashing_algorithm_logindefs"·selected="true"/> 
306 ····<ns0:select·idref="accounts_password_pam_unix_remember"·selected="true"/> 
307 ····<ns0:select·idref="root_path_no_dot"·selected="true"/> 
308 ····<ns0:select·idref="accounts_root_path_dirs_no_write"·selected="true"/> 
309 ····<ns0:select·idref="file_permissions_home_dirs"·selected="true"/> 
310 ····<ns0:select·idref="accounts_umask_etc_bashrc"·selected="true"/> 
311 ····<ns0:select·idref="accounts_umask_etc_csh_cshrc"·selected="true"/> 
312 ····<ns0:select·idref="accounts_umask_etc_profile"·selected="true"/> 
313 ····<ns0:select·idref="accounts_umask_etc_login_defs"·selected="true"/> 
314 ····<ns0:select·idref="file_user_owner_grub_conf"·selected="true"/> 
315 ····<ns0:select·idref="file_group_owner_grub_conf"·selected="true"/> 
316 ····<ns0:select·idref="file_permissions_grub_conf"·selected="true"/> 
317 ····<ns0:select·idref="bootloader_password"·selected="true"/> 
318 ····<ns0:select·idref="disable_interactive_boot"·selected="true"/> 
319 ····<ns0:select·idref="gconf_gnome_screensaver_idle_delay"·selected="true"/> 
320 ····<ns0:select·idref="gconf_gnome_screensaver_idle_activation_enabled"·selected="true"/> 
321 ····<ns0:select·idref="gconf_gnome_screensaver_lock_enabled"·selected="true"/> 
322 ····<ns0:select·idref="gconf_gnome_screensaver_mode_blank"·selected="true"/> 
323 ····<ns0:select·idref="banner_etc_issue"·selected="true"/> 
324 ····<ns0:select·idref="selinux_state"·selected="true"/> 
325 ····<ns0:select·idref="selinux_policytype"·selected="true"/> 
326 ····<ns0:select·idref="enable_selinux_bootloader"·selected="true"/> 
327 ····<ns0:select·idref="selinux_confinement_of_daemons"·selected="true"/> 
328 ····<ns0:select·idref="selinux_all_devicefiles_labeled"·selected="true"/> 
329 ····<ns0:select·idref="sysctl_net_ipv4_ip_forward"·selected="true"/> 
330 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_send_redirects"·selected="true"/> 
331 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_send_redirects"·selected="true"/> 
332 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_secure_redirects"·selected="true"/> 
333 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_accept_redirects"·selected="true"/> 
334 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_accept_source_route"·selected="true"/> 
335 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_secure_redirects"·selected="true"/> 
336 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_accept_redirects"·selected="true"/> 
337 ····<ns0:select·idref="sysctl_net_ipv4_icmp_ignore_bogus_error_responses"·selected="true"/> 
338 ····<ns0:select·idref="sysctl_net_ipv4_icmp_echo_ignore_broadcasts"·selected="true"/> 
339 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_log_martians"·selected="true"/> 
340 ····<ns0:select·idref="sysctl_net_ipv4_conf_all_rp_filter"·selected="true"/> 
341 ····<ns0:select·idref="sysctl_net_ipv4_tcp_syncookies"·selected="true"/> 
342 ····<ns0:select·idref="sysctl_net_ipv4_conf_default_rp_filter"·selected="true"/> 
343 ····<ns0:select·idref="wireless_disable_in_bios"·selected="true"/> 
344 ····<ns0:select·idref="service_bluetooth_disabled"·selected="true"/> 
345 ····<ns0:select·idref="network_ipv6_disable_rpc"·selected="true"/> 
346 ····<ns0:select·idref="sysctl_net_ipv6_conf_default_accept_ra"·selected="true"/> 
347 ····<ns0:select·idref="sysctl_net_ipv6_conf_default_accept_redirects"·selected="true"/> 
Max diff block lines reached; 1662681/1756404 bytes (94.66%) of diff not shown.
5.28 MB
./usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml
5.28 MB
./usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml
    
Offset 26, 21 lines modifiedOffset 26, 21 lines modified
26 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/>26 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml"/>
27 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/>27 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml"/>
28 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/>28 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-cpe-oval.xml"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-cpe-oval.xml"/>
29 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/>29 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-oval.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-oval.xml000"/>
30 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/>30 ······<ns0:component-ref·id="scap_org.open-scap_cref_ssg-rhel7-ocil.xml000"·ns1:href="#scap_org.open-scap_comp_ssg-rhel7-ocil.xml000"/>
31 ····</ns0:checks>31 ····</ns0:checks>
32 ··</ns0:data-stream>32 ··</ns0:data-stream>
33 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-11T15:39:02">33 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-oval.xml"·timestamp="2020-07-12T18:46:05">
34 ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">34 ····<ns3:oval_definitions·xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5·oval-common-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5·oval-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#independent·independent-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#unix·unix-definitions-schema.xsd·········http://oval.mitre.org/XMLSchema/oval-definitions-5#linux·linux-definitions-schema.xsd">
35 ······<ns3:generator>35 ······<ns3:generator>
36 ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name>36 ········<ns5:product_name>combine-ovals.py·from·SCAP·Security·Guide</ns5:product_name>
37 ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version>37 ········<ns5:product_version>ssg:·0.1.39,·python:·2.7.16</ns5:product_version>
38 ········<ns5:schema_version>5.11</ns5:schema_version>38 ········<ns5:schema_version>5.11</ns5:schema_version>
39 ········<ns5:timestamp>2020-07-12T03:33:36</ns5:timestamp>39 ········<ns5:timestamp>2020-07-12T04:32:03</ns5:timestamp>
40 ······</ns3:generator>40 ······</ns3:generator>
41 ······<ns3:definitions>41 ······<ns3:definitions>
42 ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1">42 ········<ns3:definition·class="compliance"·id="oval:ssg-accounts_logon_fail_delay:def:1"·version="1">
43 ··········<ns3:metadata>43 ··········<ns3:metadata>
44 ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title>44 ············<ns3:title>Ensure·that·FAIL_DELAY·is·Configured·in·/etc/login.defs</ns3:title>
45 ············<ns3:affected·family="unix">45 ············<ns3:affected·family="unix">
46 ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform>46 ··············<ns3:platform>Red·Hat·Enterprise·Linux·7</ns3:platform>
Offset 31871, 29 lines modifiedOffset 31871, 23 lines modified
31871 ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>31871 ········<ns3:external_variable·comment="external·variable·for·zarafa_setrlimit"·datatype="boolean"·id="oval:ssg-var_zarafa_setrlimit:var:1"·version="1"/>
31872 ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>31872 ········<ns3:external_variable·comment="external·variable·for·zebra_write_config"·datatype="boolean"·id="oval:ssg-var_zebra_write_config:var:1"·version="1"/>
31873 ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>31873 ········<ns3:external_variable·comment="external·variable·for·zoneminder_anon_write"·datatype="boolean"·id="oval:ssg-var_zoneminder_anon_write:var:1"·version="1"/>
31874 ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>31874 ········<ns3:external_variable·comment="external·variable·for·zoneminder_run_sudo"·datatype="boolean"·id="oval:ssg-var_zoneminder_run_sudo:var:1"·version="1"/>
31875 ······</ns3:variables>31875 ······</ns3:variables>
31876 ····</ns3:oval_definitions>31876 ····</ns3:oval_definitions>
31877 ··</ns0:component>31877 ··</ns0:component>
31878 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-11T15:39:03">31878 ··<ns0:component·id="scap_org.open-scap_comp_ssg-rhel7-ocil.xml"·timestamp="2020-07-12T18:46:05">
31879 ····<ns9:ocil>31879 ····<ns9:ocil>
31880 ······<ns9:generator>31880 ······<ns9:generator>
31881 ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name>31881 ········<ns9:product_name>xccdf-create-ocil.xslt·from·SCAP·Security·Guide</ns9:product_name>
31882 ········<ns9:product_version>ssg:·0.1.39</ns9:product_version>31882 ········<ns9:product_version>ssg:·0.1.39</ns9:product_version>
31883 ········<ns9:schema_version>2.0</ns9:schema_version>31883 ········<ns9:schema_version>2.0</ns9:schema_version>
31884 ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp>31884 ········<ns9:timestamp>2018-07-26T14:58:28Z</ns9:timestamp>
31885 ······</ns9:generator>31885 ······</ns9:generator>
31886 ······<ns9:questionnaires>31886 ······<ns9:questionnaires>
31887 ········<ns9:questionnaire·id="ocil:ssg-service_docker_enabled_ocil:questionnaire:1"> 
31888 ··········<ns9:title>Enable·the·Docker·service</ns9:title> 
31889 ··········<ns9:actions> 
31890 ············<ns9:test_action_ref>ocil:ssg-service_docker_enabled_action:testaction:1</ns9:test_action_ref> 
31891 ··········</ns9:actions> 
31892 ········</ns9:questionnaire> 
31893 ········<ns9:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1">31887 ········<ns9:questionnaire·id="ocil:ssg-package_rsh_removed_ocil:questionnaire:1">
31894 ··········<ns9:title>Uninstall·rsh·Package</ns9:title>31888 ··········<ns9:title>Uninstall·rsh·Package</ns9:title>
31895 ··········<ns9:actions>31889 ··········<ns9:actions>
31896 ············<ns9:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns9:test_action_ref>31890 ············<ns9:test_action_ref>ocil:ssg-package_rsh_removed_action:testaction:1</ns9:test_action_ref>
31897 ··········</ns9:actions>31891 ··········</ns9:actions>
31898 ········</ns9:questionnaire>31892 ········</ns9:questionnaire>
31899 ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1">31893 ········<ns9:questionnaire·id="ocil:ssg-service_rlogin_disabled_ocil:questionnaire:1">
Offset 31952, 26 lines modifiedOffset 31946, 26 lines modified
31952 ········</ns9:questionnaire>31946 ········</ns9:questionnaire>
31953 ········<ns9:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1">31947 ········<ns9:questionnaire·id="ocil:ssg-package_telnet-server_removed_ocil:questionnaire:1">
31954 ··········<ns9:title>Uninstall·telnet-server·Package</ns9:title>31948 ··········<ns9:title>Uninstall·telnet-server·Package</ns9:title>
31955 ··········<ns9:actions>31949 ··········<ns9:actions>
31956 ············<ns9:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns9:test_action_ref>31950 ············<ns9:test_action_ref>ocil:ssg-package_telnet-server_removed_action:testaction:1</ns9:test_action_ref>
31957 ··········</ns9:actions>31951 ··········</ns9:actions>
31958 ········</ns9:questionnaire>31952 ········</ns9:questionnaire>
31959 ········<ns9:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1"> 
31960 ··········<ns9:title>Disable·ypbind·Service</ns9:title> 
31961 ··········<ns9:actions> 
31962 ············<ns9:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns9:test_action_ref> 
31963 ··········</ns9:actions> 
31964 ········</ns9:questionnaire> 
31965 ········<ns9:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1">31953 ········<ns9:questionnaire·id="ocil:ssg-package_ypbind_removed_ocil:questionnaire:1">
31966 ··········<ns9:title>Remove·NIS·Client</ns9:title>31954 ··········<ns9:title>Remove·NIS·Client</ns9:title>
31967 ··········<ns9:actions>31955 ··········<ns9:actions>
31968 ············<ns9:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns9:test_action_ref>31956 ············<ns9:test_action_ref>ocil:ssg-package_ypbind_removed_action:testaction:1</ns9:test_action_ref>
31969 ··········</ns9:actions>31957 ··········</ns9:actions>
31970 ········</ns9:questionnaire>31958 ········</ns9:questionnaire>
 31959 ········<ns9:questionnaire·id="ocil:ssg-service_ypbind_disabled_ocil:questionnaire:1">
 31960 ··········<ns9:title>Disable·ypbind·Service</ns9:title>
 31961 ··········<ns9:actions>
 31962 ············<ns9:test_action_ref>ocil:ssg-service_ypbind_disabled_action:testaction:1</ns9:test_action_ref>
 31963 ··········</ns9:actions>
 31964 ········</ns9:questionnaire>
31971 ········<ns9:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">31965 ········<ns9:questionnaire·id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
31972 ··········<ns9:title>Uninstall·ypserv·Package</ns9:title>31966 ··········<ns9:title>Uninstall·ypserv·Package</ns9:title>
31973 ··········<ns9:actions>31967 ··········<ns9:actions>
31974 ············<ns9:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns9:test_action_ref>31968 ············<ns9:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ns9:test_action_ref>
31975 ··········</ns9:actions>31969 ··········</ns9:actions>
31976 ········</ns9:questionnaire>31970 ········</ns9:questionnaire>
31977 ········<ns9:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1">31971 ········<ns9:questionnaire·id="ocil:ssg-package_tftp_removed_ocil:questionnaire:1">
Offset 31994, 26 lines modifiedOffset 31988, 26 lines modified
31994 ········</ns9:questionnaire>31988 ········</ns9:questionnaire>
31995 ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">31989 ········<ns9:questionnaire·id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
31996 ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title>31990 ··········<ns9:title>Ensure·tftp·Daemon·Uses·Secure·Mode</ns9:title>
31997 ··········<ns9:actions>31991 ··········<ns9:actions>
31998 ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref>31992 ············<ns9:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ns9:test_action_ref>
31999 ··········</ns9:actions>31993 ··········</ns9:actions>
32000 ········</ns9:questionnaire>31994 ········</ns9:questionnaire>
32001 ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1"> 
32002 ··········<ns9:title>Disable·xinetd·Service</ns9:title> 
32003 ··········<ns9:actions> 
32004 ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref> 
32005 ··········</ns9:actions> 
32006 ········</ns9:questionnaire> 
32007 ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1">31995 ········<ns9:questionnaire·id="ocil:ssg-package_tcp_wrappers_installed_ocil:questionnaire:1">
32008 ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title>31996 ··········<ns9:title>Install·tcp_wrappers·Package</ns9:title>
32009 ··········<ns9:actions>31997 ··········<ns9:actions>
32010 ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref>31998 ············<ns9:test_action_ref>ocil:ssg-package_tcp_wrappers_installed_action:testaction:1</ns9:test_action_ref>
32011 ··········</ns9:actions>31999 ··········</ns9:actions>
32012 ········</ns9:questionnaire>32000 ········</ns9:questionnaire>
 32001 ········<ns9:questionnaire·id="ocil:ssg-service_xinetd_disabled_ocil:questionnaire:1">
 32002 ··········<ns9:title>Disable·xinetd·Service</ns9:title>
 32003 ··········<ns9:actions>
 32004 ············<ns9:test_action_ref>ocil:ssg-service_xinetd_disabled_action:testaction:1</ns9:test_action_ref>
 32005 ··········</ns9:actions>
 32006 ········</ns9:questionnaire>
32013 ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1">32007 ········<ns9:questionnaire·id="ocil:ssg-package_xinetd_removed_ocil:questionnaire:1">
32014 ··········<ns9:title>Uninstall·xinetd·Package</ns9:title>32008 ··········<ns9:title>Uninstall·xinetd·Package</ns9:title>
32015 ··········<ns9:actions>32009 ··········<ns9:actions>
32016 ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref>32010 ············<ns9:test_action_ref>ocil:ssg-package_xinetd_removed_action:testaction:1</ns9:test_action_ref>
32017 ··········</ns9:actions>32011 ··········</ns9:actions>
32018 ········</ns9:questionnaire>32012 ········</ns9:questionnaire>
32019 ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">32013 ········<ns9:questionnaire·id="ocil:ssg-package_talk_removed_ocil:questionnaire:1">
Offset 32024, 26 lines modifiedOffset 32018, 38 lines modified
32024 ········</ns9:questionnaire>32018 ········</ns9:questionnaire>
32025 ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1">32019 ········<ns9:questionnaire·id="ocil:ssg-package_talk-server_removed_ocil:questionnaire:1">
32026 ··········<ns9:title>Uninstall·talk-server·Package</ns9:title>32020 ··········<ns9:title>Uninstall·talk-server·Package</ns9:title>
32027 ··········<ns9:actions>32021 ··········<ns9:actions>
32028 ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref>32022 ············<ns9:test_action_ref>ocil:ssg-package_talk-server_removed_action:testaction:1</ns9:test_action_ref>
32029 ··········</ns9:actions>32023 ··········</ns9:actions>
32030 ········</ns9:questionnaire>32024 ········</ns9:questionnaire>
32031 ········<ns9:questionnaire·id="ocil:ssg-ftp_present_banner_ocil:questionnaire:1">32025 ········<ns9:questionnaire·id="ocil:ssg-service_dovecot_disabled_ocil:questionnaire:1">
32032 ··········<ns9:title>Create·Warning·Banners·for·All·FTP·Users</ns9:title>32026 ··········<ns9:title>Disable·Dovecot·Service</ns9:title>
Max diff block lines reached; 5529958/5538602 bytes (99.84%) of diff not shown.
1.9 MB
./usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml
1.9 MB
./usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml
    
Offset 221, 348 lines modifiedOffset 221, 14 lines modified
221 ····<dc:contributor>Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>221 ····<dc:contributor>Xirui·Yang·&lt;xirui.yang@oracle.com&gt;</dc:contributor>
222 ····<dc:contributor>Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>222 ····<dc:contributor>Kevin·Zimmerman·&lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
223 ····<dc:contributor>Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>223 ····<dc:contributor>Jan·Černý·&lt;jcerny@redhat.com&gt;</dc:contributor>
224 ····<dc:contributor>Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>224 ····<dc:contributor>Michal·Šrubař·&lt;msrubar@redhat.com&gt;</dc:contributor>
225 ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>225 ····<dc:source>https://github.com/OpenSCAP/scap-security-guide/releases/latest</dc:source>
226 ··</ns0:metadata>226 ··</ns0:metadata>
227 ··<ns0:model·system="urn:xccdf:scoring:default"/>227 ··<ns0:model·system="urn:xccdf:scoring:default"/>
228 ··<ns0:Profile·id="hipaa"> 
229 ····<ns0:title·override="true"·xml:lang="en-US">Health·Insurance·Portability·and·Accountability·Act·(HIPAA)</ns0:title> 
230 ····<ns0:description·override="true"·xml:lang="en-US">The·HIPAA·Security·Rule·establishes·U.S.·national·standards·to·protect·individuals’ 
231 electronic·personal·health·information·that·is·created,·received,·used,·or 
232 maintained·by·a·covered·entity.·The·Security·Rule·requires·appropriate 
233 administrative,·physical·and·technical·safeguards·to·ensure·the 
234 confidentiality,·integrity,·and·security·of·electronic·protected·health 
235 information. 
  
236 This·profile·configures·Red·Hat·Enterprise·Linux·7·to·the·HIPAA·Security 
237 Rule·identified·for·securing·of·electronic·protected·health·information.</ns0:description> 
238 ····<ns0:select·idref="bootloader_password"·selected="true"/> 
239 ····<ns0:select·idref="bootloader_uefi_password"·selected="true"/> 
240 ····<ns0:select·idref="file_group_owner_grub2_cfg"·selected="true"/> 
241 ····<ns0:select·idref="file_permissions_grub2_cfg"·selected="true"/> 
242 ····<ns0:select·idref="file_user_owner_grub2_cfg"·selected="true"/> 
243 ····<ns0:select·idref="disable_interactive_boot"·selected="true"/> 
244 ····<ns0:select·idref="no_direct_root_logins"·selected="true"/> 
245 ····<ns0:select·idref="no_empty_passwords"·selected="true"/> 
246 ····<ns0:select·idref="require_singleuser_auth"·selected="true"/> 
247 ····<ns0:select·idref="restrict_serial_port_logins"·selected="true"/> 
248 ····<ns0:select·idref="securetty_root_login_console_only"·selected="true"/> 
249 ····<ns0:select·idref="service_debug-shell_disabled"·selected="true"/> 
250 ····<ns0:select·idref="disable_ctrlaltdel_reboot"·selected="true"/> 
251 ····<ns0:select·idref="disable_ctrlaltdel_burstaction"·selected="true"/> 
252 ····<ns0:select·idref="dconf_gnome_remote_access_credential_prompt"·selected="true"/> 
253 ····<ns0:select·idref="dconf_gnome_remote_access_encryption"·selected="true"/> 
254 ····<ns0:select·idref="sshd_disable_empty_passwords"·selected="true"/> 
255 ····<ns0:select·idref="sshd_disable_root_login"·selected="true"/> 
256 ····<ns0:select·idref="libreswan_approved_tunnels"·selected="true"/> 
257 ····<ns0:select·idref="no_rsh_trust_files"·selected="true"/> 
258 ····<ns0:select·idref="package_rsh_removed"·selected="true"/> 
259 ····<ns0:select·idref="package_rsh-server_removed"·selected="true"/> 
260 ····<ns0:select·idref="package_talk_removed"·selected="true"/> 
261 ····<ns0:select·idref="package_talk-server_removed"·selected="true"/> 
262 ····<ns0:select·idref="package_telnet_removed"·selected="true"/> 
263 ····<ns0:select·idref="package_telnet-server_removed"·selected="true"/> 
264 ····<ns0:select·idref="package_xinetd_removed"·selected="true"/> 
265 ····<ns0:select·idref="package_ypbind_removed"·selected="true"/> 
266 ····<ns0:select·idref="package_ypserv_removed"·selected="true"/> 
267 ····<ns0:select·idref="service_crond_enabled"·selected="true"/> 
268 ····<ns0:select·idref="service_rexec_disabled"·selected="true"/> 
269 ····<ns0:select·idref="service_rlogin_disabled"·selected="true"/> 
270 ····<ns0:select·idref="service_rsh_disabled"·selected="true"/> 
271 ····<ns0:select·idref="service_telnet_disabled"·selected="true"/> 
272 ····<ns0:select·idref="service_xinetd_disabled"·selected="true"/> 
273 ····<ns0:select·idref="service_ypbind_disabled"·selected="true"/> 
274 ····<ns0:select·idref="service_zebra_disabled"·selected="true"/> 
275 ····<ns0:select·idref="use_kerberos_security_all_exports"·selected="true"/> 
276 ····<ns0:select·idref="disable_host_auth"·selected="true"/> 
277 ····<ns0:select·idref="sshd_allow_only_protocol2"·selected="true"/> 
278 ····<ns0:select·idref="sshd_disable_compression"·selected="true"/> 
279 ····<ns0:select·idref="sshd_disable_gssapi_auth"·selected="true"/> 
280 ····<ns0:select·idref="sshd_disable_kerb_auth"·selected="true"/> 
281 ····<ns0:select·idref="sshd_disable_rhosts_rsa"·selected="true"/> 
282 ····<ns0:select·idref="sshd_disable_rhosts"·selected="true"/> 
283 ····<ns0:select·idref="sshd_disable_user_known_hosts"·selected="true"/> 
284 ····<ns0:select·idref="sshd_do_not_permit_user_env"·selected="true"/> 
285 ····<ns0:select·idref="sshd_enable_strictmodes"·selected="true"/> 
286 ····<ns0:select·idref="sshd_enable_warning_banner"·selected="true"/> 
287 ····<ns0:select·idref="sshd_set_keepalive"·selected="true"/> 
288 ····<ns0:select·idref="sshd_use_priv_separation"·selected="true"/> 
289 ····<ns0:select·idref="encrypt_partitions"·selected="true"/> 
290 ····<ns0:select·idref="sshd_use_approved_ciphers"·selected="true"/> 
291 ····<ns0:select·idref="sshd_use_approved_macs"·selected="true"/> 
292 ····<ns0:select·idref="enable_selinux_bootloader"·selected="true"/> 
293 ····<ns0:select·idref="sebool_selinuxuser_execheap"·selected="true"/> 
294 ····<ns0:select·idref="sebool_selinuxuser_execmod"·selected="true"/> 
295 ····<ns0:select·idref="sebool_selinuxuser_execstack"·selected="true"/> 
296 ····<ns0:select·idref="selinux_confinement_of_daemons"·selected="true"/> 
297 ····<ns0:select·idref="selinux_policytype"·selected="true"/> 
298 ····<ns0:select·idref="selinux_state"·selected="true"/> 
299 ····<ns0:select·idref="service_kdump_disabled"·selected="true"/> 
300 ····<ns0:select·idref="sysctl_fs_suid_dumpable"·selected="true"/> 
301 ····<ns0:select·idref="sysctl_kernel_dmesg_restrict"·selected="true"/> 
302 ····<ns0:select·idref="sysctl_kernel_exec_shield"·selected="true"/> 
303 ····<ns0:select·idref="sysctl_kernel_randomize_va_space"·selected="true"/> 
304 ····<ns0:select·idref="rpm_verify_hashes"·selected="true"/> 
305 ····<ns0:select·idref="rpm_verify_permissions"·selected="true"/> 
306 ····<ns0:select·idref="ensure_redhat_gpgkey_installed"·selected="true"/> 
307 ····<ns0:select·idref="ensure_gpgcheck_globally_activated"·selected="true"/> 
308 ····<ns0:select·idref="ensure_gpgcheck_never_disabled"·selected="true"/> 
309 ····<ns0:select·idref="ensure_gpgcheck_repo_metadata"·selected="true"/> 
310 ····<ns0:select·idref="ensure_gpgcheck_local_packages"·selected="true"/> 
311 ····<ns0:select·idref="bootloader_audit_argument"·selected="true"/> 
312 ····<ns0:select·idref="service_auditd_enabled"·selected="true"/> 
313 ····<ns0:select·idref="audit_rules_privileged_commands_sudo"·selected="true"/> 
314 ····<ns0:select·idref="audit_rules_privileged_commands_su"·selected="true"/> 
315 ····<ns0:select·idref="audit_rules_immutable"·selected="true"/> 
316 ····<ns0:select·idref="kernel_module_usb-storage_disabled"·selected="true"/> 
317 ····<ns0:select·idref="service_autofs_disabled"·selected="true"/> 
318 ····<ns0:select·idref="auditd_audispd_syslog_plugin_activated"·selected="true"/> 
319 ····<ns0:select·idref="rsyslog_remote_loghost"·selected="true"/> 
320 ····<ns0:select·idref="auditd_data_retention_flush"·selected="true"/> 
321 ····<ns0:select·idref="audit_rules_dac_modification_chmod"·selected="true"/> 
322 ····<ns0:select·idref="audit_rules_dac_modification_chown"·selected="true"/> 
323 ····<ns0:select·idref="audit_rules_dac_modification_fchmodat"·selected="true"/> 
324 ····<ns0:select·idref="audit_rules_dac_modification_fchmod"·selected="true"/> 
325 ····<ns0:select·idref="audit_rules_dac_modification_fchownat"·selected="true"/> 
326 ····<ns0:select·idref="audit_rules_dac_modification_fchown"·selected="true"/> 
327 ····<ns0:select·idref="audit_rules_dac_modification_fremovexattr"·selected="true"/> 
328 ····<ns0:select·idref="audit_rules_dac_modification_fsetxattr"·selected="true"/> 
329 ····<ns0:select·idref="audit_rules_dac_modification_lchown"·selected="true"/> 
330 ····<ns0:select·idref="audit_rules_dac_modification_lremovexattr"·selected="true"/> 
331 ····<ns0:select·idref="audit_rules_dac_modification_lsetxattr"·selected="true"/> 
332 ····<ns0:select·idref="audit_rules_dac_modification_removexattr"·selected="true"/> 
333 ····<ns0:select·idref="audit_rules_dac_modification_setxattr"·selected="true"/> 
334 ····<ns0:select·idref="audit_rules_execution_chcon"·selected="true"/> 
335 ····<ns0:select·idref="audit_rules_execution_restorecon"·selected="true"/> 
336 ····<ns0:select·idref="audit_rules_execution_semanage"·selected="true"/> 
337 ····<ns0:select·idref="audit_rules_execution_setsebool"·selected="true"/> 
338 ····<ns0:select·idref="audit_rules_file_deletion_events_renameat"·selected="true"/> 
339 ····<ns0:select·idref="audit_rules_file_deletion_events_rename"·selected="true"/> 
340 ····<ns0:select·idref="audit_rules_file_deletion_events_rmdir"·selected="true"/> 
341 ····<ns0:select·idref="audit_rules_file_deletion_events_unlinkat"·selected="true"/> 
342 ····<ns0:select·idref="audit_rules_file_deletion_events_unlink"·selected="true"/> 
343 ····<ns0:select·idref="audit_rules_kernel_module_loading_delete"·selected="true"/> 
344 ····<ns0:select·idref="audit_rules_kernel_module_loading_init"·selected="true"/> 
345 ····<ns0:select·idref="audit_rules_kernel_module_loading_insmod"·selected="true"/> 
346 ····<ns0:select·idref="audit_rules_kernel_module_loading_modprobe"·selected="true"/> 
Max diff block lines reached; 1966174/1989941 bytes (98.81%) of diff not shown.